BlackEnergy, a converted crimeware tool, operates behind a laundry list of plug-ins for Linux and Windows systems that allows it to be used to attack Cisco networking devices, steal digital certificates, brick systems it infects, and skillfully hide from security analysts.
Researchers from Kaspersky Lab’s Global Research & Analysis Team today published a lengthy report—including indicators of compromise—that throws back the covers on a crimeware tool whose legacy was distributed denial of service attacks.
BlackEnergy has been implicated in a number of APT-style targeted attacks against a number of critical industries, including government and manufacturing. Last week, the Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an advisory warning of critical vulnerabilities in ICS and SCADA gear actively exploited by the malware, most notably by the Sandworm APT outfit.
One anonymous organization profiled by Kaspersky researchers Maria Garnaeva and Kurt Baumgartner was spear-phished by the attackers with an exploit for an unpatched WinRAR vulnerability and plug-ins for credential theft, propagation within the network, screenshot stealing, and more were found on infected computers. And once the attackers believed their actions had been revealed, Garnaeva and Baumgartner wrote, a plug-in called “dstr” was pushed that rendered the computers unbootable.
Three weeks ago, a report from iSIGHT Partners linked BlackEnergy to a Russian espionage campaign using the malware to exploit a Windows zero-day vulnerability in order to steal from government agencies, defense and energy firms, NATO, and telecommunications providers.
The discovery of the plug-ins reveals an wide array of capabilities at the attackers’ disposal. One of the most surprising, the researchers wrote, was a plug-in called weap_hwi, a DDoS tool tailor made for ARM/MIPS systems. Further research into a set of Linux plug-ins revealed an orderly development process with regular updates to malware configuration files written by a small team of plug-in developers versed in a number of platforms.
The list of Windows plug-ins is more diverse than for Linux, that in addition to expected plug-ins designed to search for certain file types, steal passwords and certificates, and the dstr command that overwrites and destroys the hard drive with random data, researchers also discovered a backup channel that operates over Google Plus accounts.
The researchers discovered an ID in a configuration file for two Google Plus accounts, one that has been viewed 75 million times.
“This number is an ID for the plus.google.com service and is used by the ‘grc’ plugin to parse html. It then downloads and decrypts a PNG file” the report said. “The decrypted PNG is supposed to contain a new CNC address, but we never observed one.”
A second anonymous victim, the researchers wrote, was hacked via the first victim’s VPN credentials and more destruction was revealed. This time, a number of Cisco routers, each running a different version of Cisco’s IOS operating system, were compromised and the organization said it could not telnet into them any longer. The researchers found a malicious script in the router’s file system with a vulgar message directed at Kaspersky analysts.
Two other victims were also found, one compromised by a similar spear phishing attack as the first victim, though no network devices were hacked, and no data destroyed. The fourth victim was exploited by BlackEnergy via a vulnerability in Siemens SCADA gear between March and July.
Most of the victims are energy firms in Eastern Europe, former Russian states, Asia and the Middle East. In addition to power generation sites, power facilities construction firms, power generation operators and power materials suppliers, Kaspersky researchers said government agencies, government land holding agencies, federal emergency services, banks and high-tech transportation operations were also infected.
The report also points out that plug-ins gathering information on connected USB devices and BIOS, motherboard and processor information were also discovered, but their purpose was unclear to the researchers.
“Why would the attackers need information on usb and bios characteristics? It suggests that based on a specific USB and BIOS devices, the attackers may upload specific plugins to carry out additional actions,” the researchers said. “Perhaps destructive, perhaps to further infect devices. We don’t know yet.”