Ukrainian Blackout Malware Spreads Through Dark Web Forums

• The malware now adds attackers’ SSH keys to a list of authorized key files on victim machines.
• We’re now seeing a ‘trickle-down’ effect, where SSH capabilities are becoming commoditized.

Cyber experts at Venafi have found sophisticated backdoor malware techniques, that were used to cripple Ukrainian power stations in 2015, being deployed more widely by the black hat community.

The malware behavior

The malware specifically targets SSH keys designed to secure remote commands for communications between machines.

• A single compromised SSH key could allow attackers to reach mission critical systems to spread malware or sabotage processes while staying undetected.
• As a recent upgrade, malware can now add attackers’ SSH keys to a list of authorized key files on victim machines (added as a trusted key).
• The other technique malware uses is brute-forcing weak SSH authentication to gain access and move laterally across system networks.

Such techniques have been tested and verified over the past year by TrickBot, cryptomining campaign CryptoSink, Linux Worm, and Skidmap, security experts noted. However, the backdoor SSH server used by the BlackEnergy gang, that attack caused mass power outages in parts of Ukraine, had far beyond capabilities.

Commoditization of SSH Keys

SSH keys are one of the most critical components in today’s remote user authentication system, hence a potent weapon in the wrong hands.

Yana Blachman, threat intelligence specialist at Venafi told that “Until recently, only the most sophisticated, well-financed hacking groups had this kind of capability. Now, we’re seeing a ‘trickle-down’ effect, where SSH capabilities are becoming commoditized.”

She further added that, with commoditization of SSH keys, attackers will attempt to monetize for the backdoor they accessed by selling it through dedicated channels to more sophisticated and sponsored attackers including nation state threats.

In a similar case, the TrickBot gang were seen selling “bot-as-a-service” to North Korean hackers.

Final thoughts

Organizations need to have a clear visibility of how their systems are running and provide protection for all authorized SSH keys in the enterprise to prevent them being hijacked. Their security infrastructure must withstand attempts by attackers to insert their own malicious SSH machine identities into systems by blocking those immediately.