BlackEnergy is a trojan that began in 2007 as basic DDoS malware. By 2010, it evolved into BlackEnergy2, a sophisticated modular trojan capable of targeted attacks.
- A kernel-mode driver component
- Support for plug-ins
- Rootkit capabilities (the same BlackReleaver used in the original)
- Process-injection techniques
- “Dropper” or “Matryoshka Doll” structure, meaning a central executable dropper containing a chain of functions including (in this case):
- A dropper executable
- A rootkit decryption system
- A rootkit
- A primary .dll file
- An XML config file specifically designed for the target
Since each package is customized, signature-based detection was not usually possible. BlackEnergy2 also contained a modular privilege-escalation exploit of MS08-025, so it would target unpatched systems.
However, BlackEnergy2’s crown jewel was its rootkit driver. It had a novel installation method, as it performed three functions very successfully once it was hooked into the OS:
- Hiding and obfuscating objects on local drives, the registry, and memory through API hooking
- Creating an intentional “fault” in the rootkit’s hooks so that custom modules could run. The most common modules were used for DDoS, spam, and banking fraud.
- Injection of the primary BlackEnergy2 .dll into svchost.exe in user space.
BlackEnergy2 is still in the wild, but over the last four years, most organizations have patched their systems to prevent the exploits. Its methodology has a familiar pattern to advanced security software and its lack of ability to leverage proxies to report back to its command-and-control servers has limited its impact in recent years.
Fast-forward to 2014.
We are seeing a new variant called BlackEnergy3 or “BlackEnergy Lite.”
BlackEnergy3 is different than BlackEnergy2 in a few key ways:
- There is no kernel-mode driver.
- The modular plug-in support is more sophisticated and flexible.
- It now contains support for proxy servers.
- It can bypass User Account Control warnings.
- It contains driver-signing features when attacking 64-bit Windows systems.
- It now can run on not only Windows, but also Linux, ARM-based, MIPS-based, and some Cisco networking devices.
The modules that have been seen to date involve commands for:
- Launching DDoS attacks
- Stealing passwords
- Scanning ports
- Taking screenshots
- Establishing persistent command-and-control links
- Logging IP sources and targets
- Gathering device IDs
- Gathering information from USB devices
- Collecting BIOS, motherboard and processor info
- Deploying a “doomsday device” if the authors believe they have been detected—a module called “dstr” that will overwrite all local disk data with random data.
Most reports on BlackEnergy3 say it has been used only against targets in Ukraine and Poland, and that a group named “Quedagh” was in sole possession of the source code. While the second part still appears to be true, as there have been no reports of the code being for sale, targets between June and November 2014 have been identified in at least 20 countries, including Russia, Germany, Vietnam, Libya, Turkey and Belgium.
Without its foundational kernel-mode driver, however, BlackEnergy3’s new owners appear to customize nearly every version of their code to make their method of infection unique from attack to attack.
Most methods have begun with targeted phishing attacks that attempt to exploit a number of vulnerabilities, while another method involves using stolen credentials from one company to gain access to a partner company.
With the heavily dynamic nature of this trojan, a multi-layered defense with visibility extending beyond the network layer is crucial. Signature-based defenses simply will not work against this malware. Instead, we must look to solutions that can identify its behavior on the endpoints it tries to infect at as many phases of the cyber kill chain as possible.