Black Energy’s New Targets – Ukraine, Poland, Brussels

Posted on September 24, 2014 by .

Share and Enjoy:
Follow Me on Pinterest More More

Current malware campaigns in Ukraine, Brussels and Poland are most likely to target information, not cash.

BlackEnergy Strikes Again in a New Manner

The security firm ESET discovered a newer version of the BlackEnergy malware that has been targeting over a hundred industry and security organizations in the Ukraine and Poland currently. BlackEnergy has been known to the public since the cyber-attack on Georgia in 2008. So far BalckEnergy was used for DDoS attacks, distribution of spam messages and bank frauds.

According to a report of the ESET research team, the botnet-based malware has a new strategy, targeting private companies and state organizations in various industries. There have been numerous attacks throughout 2014, and they are still active this month.

Reportedly, the “lite” BlackEnergy version has over a hundert victims so far. These are mainly companies and organizations in the Ukraine and Poland.

In the meantime, another security company, F-Secure, discovered a recent BlackEnergy campaign active in Brussels. The security specialists believe this may be a sign of a breach in the European Commission or the European Parliament.

F-Secure also revealed another Russian malware campaign, CosmicDuke, which uses a fake document concerning the news about the current vote of independence in Scotland in order to lure the victim into opening it and thus introduce the threat into the system. The attacked targets companies in the oil sector, mainly situated in the UK.

BlackEnergy Lite – What’s Different?

The security experts at ESET call the newer version of BlackEnergy “lite” for a few reasons:

  • The latest BlackEnergy is cheaper.
  • The malware does not use a kernel mode driver anymore.
  • BlackEnergy does not have a rootkit functionality, that was used as a cover for the malware in the previous versions.

Although the newer version might appear a bit stripped-down, it is still able to damage the systems of numerous organizations, taking advantage of various software vulnerabilities, or by using phishing emails and fake documents to attack the victims.

The lack of kernel mode driver is a quite common tendency among malware creators lately. It may be because of technical difficulties that developers face or just because it is a big investment to create a malware like this.

The cyber crooks behind BlackEnergy Lite use it for:

  • Remote code execution.
  • Collecting data.
  • Network discovery.

The distribution mechanism of the attacks is quite interesting as well. A document named “Russian ambassadors to conquer the world” was used in one of the attacks in April. The decoy file exploited a vulnerability in Microsoft World (CVE-2014-1761). In other cases, the dropper is an EXE file hiding behind the Word icon.

Reportedly, in the attacks from the last two months the crooks used PowerPoint documents and unclear Java vulnerabilities.

The Experts’ Opinion

Security experts observe a growth in Russian malware campaigns. They believe that hackers, who were previously interested in credit card theft, are now targeting trade secrets.

Compared to CosmicDuke, the attacks of BlackEnergy may appear a bit more patriotically driven, than cash oriented. Some specialists believe that the campaigns may not even be started by Russian nation-state cyber criminals.

BlackEnergy Lite’s lack of concealment features is not something to hold it back, the experts say. Apparently, Lite has been reduced to the needed functionality.

Compared to its previous version, the malware is now easier to detect, but mainly in the lab environment. The technology used by most organizations is quite static, as they still maintain a firewall. This makes their battle against BlackEnergy even harder.

More information concerning the newer version of BlackEnergy is expected to be released by the experts of the both security companies.

Popularity: 21%


Leave a Reply

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word