October 3, 2014 at 11:36BlackEnergy Lite Targets Ukraine and Poland
Recently, a large number of organizations and private companies from various industries in Ukraine and Poland have been the victims of targeted attacks using various malicious programs. These malicious programs were used to gain access to internal networks of companies, as well as to collect data from the hard drives of compromised computers.
An interesting fact is that in these malicious campaigns, attackers used a new modification of the BlackEnergy Trojan. Today, BlackEnergy is a family of malicious programs with a rich history and various mechanisms for distributing and installing its body on users' computers. BlackEnergy's first detailed analysis publishedArbor Networks back in 2007.
Originally, BlackEnergy was conceived as a relatively simple DDoS bot, but then it turned into a complex malware with a modular architecture, which began to specialize in spamming, fraudulent online banking operations and was used by attackers for targeted attacks. The second version of this malicious program contained a rootkit component and was documented by Dell SecureWorks in 2010. Detected targeted attacks prove that BlackEnergy is still a popular tool for cybercriminals.
While the widespread modifications of BlackEnergy are still active in-the-wild, we have discovered new variants of it that are easy to distinguish from its “older brothers”. These modifications are called BlackEnergy Lite and they lack the kernel mode driver component (rootkit), and plug-in support is significantly limited. The name “Light” is contained in the name of one of the malware dlls, as shown in the screenshot below.
Fig. The export directory for the main_light.dll malware component.
It should also be noted that the common versions of BlackEnergy that were discovered this year used the kernel mode driver (rootkit) only for the purpose of introducing payload code into user mode processes and the rootkit itself did not contain the ability to hide objects in the system. At the same time, the Light version of BlackEnergy does not use a driver at all. Instead, the main DLL is loaded into the system by simply loading through rundll32.exe. This feature has already been described previously by F-Secure specialists here . There are also other differences between BlackEnergy and BlackEnergy Lite, they relate to the device plug-ins, the format of their storage and the format of the configuration data.
The BlackEnergy family of malware has been used by cybercriminals to achieve many goals throughout its history, including DDoS attacks, spamming, and bank fraud. Both malware modifications of both BlackEnergy and BlackEnergy Lite were used by attackers in targeted attacks. Plugins used by the malware are designed to distribute their code on the internal network and collect data from the hard drives of compromised computers.
We observed over one hundred specific victims of BlackEnergy distribution campaigns over the botnet tracking time period. About half of these victims are located in Ukraine and as many in Poland. These victims are government agencies, as well as various other enterprises. The malware distribution campaigns we observed used various infection vectors, including exploitation of vulnerabilities in the OS, methods of social engineering through phishing e-mail messages, and fake Office documents.
In April, we discovered a malicious document Office (exploit), which exploits the vulnerability CVE-2014-1761 in the Microsoft Word. This exploit has also been seen in other attacks, including Miniduke. In case of successful operation, the exploit shellcode dumps two files into the temporary files directory: the WinWord.exe exploit payload executable file and a fake document called “Russian ambassadors to conquer world.doc”. The executable file is responsible for extracting and executing the BlackEnergy Lite dropper. The fake document contains text that is displayed to the user (shown below in the screenshot).
We also observed another malicious document that exploited the vulnerability CVE-2014-1761 . The theme of this fake document is different from the previous one and refers to the GlobSEC forum, which was held in Bratislava this year.
A month later, in May, we discovered another malicious file that was used by cybercriminals to install BlackEnergy Lite on the system. This executable file did not contain exploits, but was simply disguised as an MS Word document with the name "password list" in Ukrainian.
Despite the fact that the file was executable, it contained in its body a document with a list of standard passwords, part of this document is shown below in the screenshot.
Later BlackEnergy Lite distribution campaigns were active in August and September, according to our ESET LiveGrid statistics. In several cases of malware distribution, we observed the use by attackers of a specially prepared PowerPoint document, exploits for Java, as well as Team Viewer software.
An interesting fact is that in these malicious campaigns, attackers used a new modification of the BlackEnergy Trojan. Today, BlackEnergy is a family of malicious programs with a rich history and various mechanisms for distributing and installing its body on users' computers. BlackEnergy's first detailed analysis publishedArbor Networks back in 2007.
Originally, BlackEnergy was conceived as a relatively simple DDoS bot, but then it turned into a complex malware with a modular architecture, which began to specialize in spamming, fraudulent online banking operations and was used by attackers for targeted attacks. The second version of this malicious program contained a rootkit component and was documented by Dell SecureWorks in 2010. Detected targeted attacks prove that BlackEnergy is still a popular tool for cybercriminals.
While the widespread modifications of BlackEnergy are still active in-the-wild, we have discovered new variants of it that are easy to distinguish from its “older brothers”. These modifications are called BlackEnergy Lite and they lack the kernel mode driver component (rootkit), and plug-in support is significantly limited. The name “Light” is contained in the name of one of the malware dlls, as shown in the screenshot below.
Fig. The export directory for the main_light.dll malware component.
It should also be noted that the common versions of BlackEnergy that were discovered this year used the kernel mode driver (rootkit) only for the purpose of introducing payload code into user mode processes and the rootkit itself did not contain the ability to hide objects in the system. At the same time, the Light version of BlackEnergy does not use a driver at all. Instead, the main DLL is loaded into the system by simply loading through rundll32.exe. This feature has already been described previously by F-Secure specialists here . There are also other differences between BlackEnergy and BlackEnergy Lite, they relate to the device plug-ins, the format of their storage and the format of the configuration data.
The BlackEnergy family of malware has been used by cybercriminals to achieve many goals throughout its history, including DDoS attacks, spamming, and bank fraud. Both malware modifications of both BlackEnergy and BlackEnergy Lite were used by attackers in targeted attacks. Plugins used by the malware are designed to distribute their code on the internal network and collect data from the hard drives of compromised computers.
We observed over one hundred specific victims of BlackEnergy distribution campaigns over the botnet tracking time period. About half of these victims are located in Ukraine and as many in Poland. These victims are government agencies, as well as various other enterprises. The malware distribution campaigns we observed used various infection vectors, including exploitation of vulnerabilities in the OS, methods of social engineering through phishing e-mail messages, and fake Office documents.
In April, we discovered a malicious document Office (exploit), which exploits the vulnerability CVE-2014-1761 in the Microsoft Word. This exploit has also been seen in other attacks, including Miniduke. In case of successful operation, the exploit shellcode dumps two files into the temporary files directory: the WinWord.exe exploit payload executable file and a fake document called “Russian ambassadors to conquer world.doc”. The executable file is responsible for extracting and executing the BlackEnergy Lite dropper. The fake document contains text that is displayed to the user (shown below in the screenshot).
We also observed another malicious document that exploited the vulnerability CVE-2014-1761 . The theme of this fake document is different from the previous one and refers to the GlobSEC forum, which was held in Bratislava this year.
A month later, in May, we discovered another malicious file that was used by cybercriminals to install BlackEnergy Lite on the system. This executable file did not contain exploits, but was simply disguised as an MS Word document with the name "password list" in Ukrainian.
Despite the fact that the file was executable, it contained in its body a document with a list of standard passwords, part of this document is shown below in the screenshot.
Later BlackEnergy Lite distribution campaigns were active in August and September, according to our ESET LiveGrid statistics. In several cases of malware distribution, we observed the use by attackers of a specially prepared PowerPoint document, exploits for Java, as well as Team Viewer software.