The Security Service of Ukraine (SBU) reported that a group of hackers controlled by the Russian special services attempted to attack Ukraine with new malware, which is an updated version of the Industoyer backdoor Trojan.
The SBU website says that the malware allows the hackers to remotely administer the operating system processes, copy files, monitor user activity and intercept passwords.
Thanks to the cooperation with a well-known antivirus company, Ukraine was able to establish cyber-attack objects, mitigate consequences of the virus and minimize cyber threats to the government infrastructures.
The ESET company, which informed Ukraine’s law enforcement agencies about this new threat, published more detailed information in its blog.
The company's experts documented an attempt to deploy a new Win32 / Exaramel backdoor Trojan, which turned out to be an improved version of the Industroyer backdoor. This exact virus has caused the blackout in Kyiv in December 2016. The BlackEnergy / TeleBots group (sometimes also called Sandworm) developed this malware. In June 2017, they also launched the viper Diskcoder.C (better known as Petya / NotPetya, which affected companies around the world. The companies infected by the backdoor of the TeleBots group as a result of the compromise of the M.E.Doc accounting software, popular in Ukraine, became the “zero patient” of the malware outbreak.
The significant similarity between the Win32 / Exaramel and the Industroyer main backdoor codes is the first publicly presented evidence linking Industroyer with the TeleBots group and, therefore, with NotPetya cyber campaigns and the earlier BlackEnergy attack.
In addition, the discovery of Exaramel shows that the TeleBots group remains active in 2018, and the attackers continue to improve their tactics and tools.