The BlackEnergy malware first appeared in 2007 as a relatively unsophisticated program that generated random bots to support Distributed Denial of Service (DDoS) attacks.
Endpoint security specialist SentinelOne has detected a new variant of the program which was used last month to attack a Ukranian power facility. It also believes that this latest variant may be state-sponsored.
Udi Shamir, co-founder and CSO of SentinelOne says, "Our analysis of a new BlackEnergy 3 sample has led us to conclude that this latest rootkit is in fact the by-product of a nation-sponsored campaign, and likely the work of multiple teams coming together".
Although it has the same core components as earlier versions, BlackEnergy's changing attack methods make it hard for traditional antivirus products to detect.
The latest malware is launched via a new delivery technique using a vulnerability, CVE-2014-4114, in the OLE packager of Microsoft Office. It can be distributed using phishing emails with an attached Excel document that has a macro virus to launch the BlackEnergy 3 program.
Since CVE-2014-4114 has already been patched, SentinelOne believes that attackers are either specifically targeting a victim's machine that is unpatched, or getting an internal employee to either accidentally or deliberately execute the infected Excel documents causing the malware to propagate inside the network.
A full report on the malware is available on the SentinelOne blog.