BlackEnergy Returns to Target 100+ Victims in 2014

Written by

Security experts have discovered new versions of the sophisticated BlackEnergy malware in targeted attacks against over 100 organizations this year, more than half of which are in the Ukraine and Poland.

BlackEnergy dates back to 2007, when it was discovered by Arbor Networks as a “relatively simple” DDoS trojan, according to ESET malware researcher, Robert Lipovsky.

A few years later it emerged as sophisticated malware with a modular architecture which was used in targeted attacks and online bank fraud, he explained.

Now ESET has spotted new variants, including a 'BlackEnergy Lite' version which features no kernel-mode driver, less plug-in support and a lighter footprint.

“Note that even the ‘regular’ BlackEnergy samples detected this year have evolved in such a way that the kernel mode driver is only used for injecting the payload into user mode processes and no longer contains rootkit functionality for hiding objects in the system,” wrote Lipovsky in a blog post.

“The light versions go a step further by not using a driver at all. Instead, the main DLL is loaded using a more ‘polite’ and ‘official’ technique – by simply loading it via rundll32.exe.”

The absence of a kernel-mode driver is a common theme in malware today because it’s increasingly difficult and expensive to develop this kind of malware, and any bugs could give the game away by blue screening the machine, he said.

The new BlackEnergy variants spotted by ESET of late were apparently used in targeted attacks for network discovery, remote code execution and lifting data from a victim’s hard drive.

“We have observed over a hundred individual victims of these campaigns during our monitoring of the botnets. Approximately half of these victims are situated in Ukraine and half in Poland, and include a number of state organizations, various businesses, as well as targets which we were unable to identify,” said Lipovsky.

“The spreading campaigns that we have observed have used either technical infection methods through exploitation of software vulnerabilities, social engineering through spear-phishing emails and decoy documents, or a combination of both.”

F-Secure has a more detailed analysis of the latest BlackEnergy campaigns here, attributing the attacks on Ukrainian government bodies to one group: "Quedagh".

What’s hot on Infosecurity Magazine?