BlackEnergy malware plug-ins run rampant

Kaspersky Lab’s Global Research & Analysis Team last week published an interesting report detailing the crimeware turned cyber espionage tool BlackEnergy.

First identified several years ago, BlackEnergy’s original purpose was the launching of DDoS attacks via its custom plugins. Over time, BlackEnergy2 and BlackEnergy3 evolved and were eventually spotted downloading additional custom plug-ins which were used for spam runs and harvesting online banking information, according to Kaspersky researchers Kurt Baumgartner and Maria Garnaeva. Lately, the malware has been adopted by the Sandworm Team, a group linked to cyber espionage including the targeting of industrial SCADA systems.

The Kaspersky report detailed two unnamed BlackEnergy victims which were attacked during the summer of 2014:

The first was spear phished with an email containing a WinRAR exploit. The hidden executable file then dropped various BlackEnergy plugins.

The second victim was hacked using the previous victim’s stolen VPN credentials, leading to the destruction of some business data and whoever attacked victim number two was not best pleased with Kaspersky either as they left the following message in a tcl script - “Fuck U, kaspeRsky!! U never get a fresh Black En3rgy.”

The ease with which the company’s Cisco routers, all of which were running different IOS versions, were compromised was welcomed by the hackers though with the script writer saying “Thanks C1sco ltd for built-in backd00rs & 0-days.”

A recent blog posting from iSIGHT Partners details a Windows zero-day vulnerability (CVE-2014-4114) which affected all versions of Microsoft Windows and Server 2008 and 2012. That vulnerability, the company said, facilitated a BlackEnergy powered cyber espionage campaign that targeted NATO, Ukrainian government organisations, Western European governments, the energy sector in Poland, European telecoms companies and academic institutions within the US. iSIGHT attributed that campaign to Russia.

And, according to the US Department of Homeland Security, BlackEnergy has been hiding in key US computers since 2011 and is set to wreak havoc with critical infrastructure. ABC News says US national security sources have claimed to be in possession of evidence which also points a sturdy finger of blame in the direction of Russia, suggesting that the Sandworm Team may in fact be state-sponsored.

As a Russian company it is perhaps unsurprising to learn that the Kaspersky’s researchers stopped short of identifying mother Russia as the perpetrator behind the various BlackEnergy attacks though, to be fair, they did discover that one of “the DDoS commands meant for these routers” was 188.128.123.52 which, they say, ”belongs to the Russian Ministry of Defense.” Another IP address identified by Baumgartner and Garnaeva - 212.175.109.10 - belongs to the Turkish Ministry of Interior's government site. These two discoveries, they say, make it unclear as to who is behind the attacks.

Baumgartner and Garnaeva’s research also reveals how the proliferation of plug-ins for BlackEnergy has given the tool a wide range of capabilities. These include a DDoS tool specifically made for ARM/MIPS systems, the ability to wipe drives or render them unbootable and a variety of port-scanning and certificate-stealing plugins, as well as a backup communication channel in the form of Google Plus accounts that could be used to download obfuscated command and control data from an encrypted PNG image file. The researchers said the ‘grc’ plugin used in this instance was designed to contain a new command and control address but they did not observe one being used.

Another curio mentioned in the Kaspersky report was the fact that some plug-ins were designed to gather hardware information on infected systems including motherboard data, processor information and the BIOS version employed. Other plug-ins were gathering information about attached USB devices, leading the researchers to conclude that other as yet unidentified plug-ins may be employed to infect further damage, based upon the information communicated back to the command and control centre.