Malware structure hints at highly organized team behind it

Nov 3, 2014 23:17 GMT  ·  By
Number of views for the Google Plus ID found in BlackEnergy 2 configuration file has grown to more than 76 million
   Number of views for the Google Plus ID found in BlackEnergy 2 configuration file has grown to more than 76 million

Known for being used in cyber espionage operations as well as in financially driven campaigns, BlackEnergy advanced persistent threat (APT) has an entire infrastructure behind it and an adept group, known as Sandworm, customizing its functionality for a given mission.

The malware has been employed for several targeted attacks, one of the most recent leveraging a zero-day vulnerability in Windows against various entities, from NATO and government organizations in Ukraine and Western Europe to companies in the telecommunications and energy sectors.

DDoS tool compiled for ARM systems

Security researchers at Kaspersky analyzed different tools and configuration files of the malware and presented their findings in a report on Monday, showing an army of custom plug-ins created for the threat to carry out malicious activities on both Windows and Linux systems.

After gaining control over command and control (C&C) servers, the researchers also uncovered a configuration file that included modules for stealing passwords from several network protocols (SMTP, POP3, IMAP, HTTP, FTP, Telnet), dropping malware, and deploying DDoS (distributed denial-of-service) attacks.

Interestingly, the DDoS plug-in, “weap_hwi,” was compiled to run on ARM systems, which include most of the mobile operating systems (iOS, Android, Windows Phone, BlackBerry, Firefox OS).

The module designed for Linux architecture also contained functionality that allowed scanning ports, logging IP source and destination, communicating with the C&C for loading other plug-ins or updating.

Among the commands available, the researchers discovered that the attackers had the possibility of deleting all signs of malware infection from the affected system and then reboot the machine.

Not all plug-ins have been found, Russian Ministry of Defense IP found among the targets

As far as Windows is concerned, Sandworm group had extended capabilities that permitted searching for particular file types, taking screenshots, spreading across the target network, running remote desktop sessions, infecting files, logging traffic, overwriting the information on the hard disk, logging keystrokes and collecting details about the system (BIOS, connected USB devices) and the network.

Although the list of plug-ins collected from the C&C servers is pretty large, the researchers have evidence that more exist.

“For example, we have yet to obtain the router access plugin, but we are confident that it exists. Evidence also supports the hypothesis that there is a decryption plugin for victim files,” say Kurt Baumgartner and Maria Garnaeva in a blog post.

During the analysis, they found that a tool called  “grc” is used to parse HTML. The odd part is that a Google Plus ID is provided, which has more than 76 million views at the moment of writing. The researchers explain that the tool downloads and decrypts a PNG image that could contain a fresh C&C server address but none has been found.

Based on the commands they observed, Kaspersky believes that a plug-in for router access is available. They found two IP addresses targeted for DDoS, one belonging to the Russian Ministry of Defense and the other to the Turkish Ministry of Interior's government site.

“While many researchers suspect a Russian actor is behind BE2 [BlackEnergy 2], judging by their tracked activities and the victim profiles, it's still unclear whose interests they represent,” Baumgartner and Garnaeva write.