Home / malware BlackEnergy
First posted on 03 April 2015.
Source: SecurityHomeAliases :
There are no other names known for BlackEnergy.
Explanation :
BlackEnergy is a toolkit that has been used for years by various criminal outfits.
BlackEnergy is a popular crimeware (that is, malware designed to automate criminal activities) that is sold in the Russian cyber underground and dates back to as early as 2007. Originally, it was designed as a toolkit for creating
botnets for use in conducting Distributed Denial of Service (DDoS) attacks. Over time, the malware has evolved to support different plugins, which are used to extend its capabilities to provide necessary functions, depending on
the purpose of an attack.
Given the nature of its toolkit, BlackEnergy has unsurprisingly been used by different gangs for different purposes; some use it for sending spam, others for stealing banking credentials. The most notorious use may be when
it was used to conduct cyberattacks against Georgia during the Russo-Georgian confrontation in 2008.
In the summer of 2014, BlackEnergy caught our attention when we noticed that samples of it were now tailored to target Ukrainian government institutions. Though it may be unrelated, it is interesting to note that this change
conveniently coincides with the on-going crisis in that country. Related or not, one thing is certain: the actor(s) using these customized BlackEnergy malware are intent on stealing information from the targets. The use of this
crimeware in what constitutes as an advance persistent threat (APT) attack is interesting. In 'black operations' (black ops), an important criteria is that the attack should not be attributable - and what provides better plausible
deniability than crimeware known to be used by multiple parties?
The original BlackEnergy toolkit first emerged in 2007 and is referred to in this paper as BlackEnergy 1. A later variant of the toolkit (BlackEnergy 2) was released in 2010. We also encountered a previously unseen variant, which had been rewritten and uses a different format for its configuration.
It also no longer uses a driver component. This new variant was dubbed BlackEnergy 3.
INFECTION VECTORS
Most of the recent BlackEnergy installers collected are named msiexec.exe. We believe they are either dropped by another executable that uses social engineering tricks to mislead the user into executing the installer, or by
documents containing exploits that silently perform the installation.
We found at least 2 trojanized legitimate applications that execute the installer (in addition to their legitimate tasks).
Trojanization is an effective infection method, as most users have no way of observing that a malicious component is being installed in tandem with a legitimate program.
Some earlier installer variants, then named regedt32.exe, were distributed by documents exploiting software vulnerabilities, one of which was CVE-2010-3333. These documents drop and execute the installer, then open a decoy document. It is reasonable to assume that a similar approach has been used to deliver the more recent installer variants.
The installer filename of BlackEnergy 3 is still msiexec.exe.
However, it is delivered and executed by a dropper which opens a decoy document in the foreground. We also encountered a standalone, non-persistent sample that
pretends to be Adobe Flash Player Installer. It does not use any decoy document or application and does not run after reboot.
TARGET DETAILS
From the very earliest variants we were able to attribute to Quedagh, we have noticed that their targets have been political in nature. Apart from other indicators, we can deduce the nature of the target based on the content of
social engineering tactics used to distribute the installers.
For example, one decoy dropped from a sample dating to 2012 seems to be targeting European audiences and discusses a political/economic situation. Strings found in another sample from 2012 again indicate a political motivation behind the attack. Most decoys used content taken from news sites; we noted one decoy dropped by an exploit document was created using the Russian version of Office.
The latest variant of the dropper pretends to be a document file with a Ukrainian filename. The choice of language for the filename again may tie
in or reference the current political crisis in that country.
The filename itself means 'password list' in English.
RIVER SIGNING POLICY BYPASS
The malware will only attempt to infect a system if the current user is a member of the local administrator group.
If not, it will re-launch itself as Administrator on Vista.
This in effect will trigger a UAC prompt. On Windows 7 and later however, the malware will attempt to bypass the default UAC settings. It exploits a backward-compatibility feature found in newer versions of Windows. BlackEnergy
installers include a Shim Database, or a "fix", instructing SndVol.exe to execute cmd.exe instead in order to resolve the incompatibility.
The role of the installer is to set up the malware's persistent component, which is the driver component. On 64-bit Windows systems, Microsoft has enforced a policy that requires all drivers to be signed as a security
precaution. Signing provides a way to identify a driver to its author, effectively reducing the number of malware developers willing to take the risk. To allow developers to test their drivers during development, Microsoft provides
a TESTSIGNING boot configuration option; while in this mode, a watermark is displayed on the screen to make it obvious to users and to prevent malware from exploiting this option.
SndVol.exe is one of the Windows executables that will be automatically elevated upon execution because it is thought to be safe. What harm can a volume control cause? With the malicious "fix" installed however,
executing SndVol.exe will execute the not-so-safe file cmd.exe instead, which can then be used to install the malware while in an elevated state.
BlackEnergy enables the TESTSIGNING option to load its driver component; to hide this change from the user, the malware removes the watermark by removing the relevant strings in the user32.dll.mui of the system. In Windows
8 and up however, the strings are no longer stored in user32.dll.mui, so the trick will not work. This may be one of the reasons for the existence of a standalone nonpersistent BlackEnergy variant. The malware does not infect 64-bit Windows systems that are older than Vista.
DRIVER COMPONENT
The installer will try to locate an existing driver service that is inactive. The service found will usually be a legitimate one that is disabled because it is no longer used or because it is set to start only on demand. The installer will drop the driver component using the corresponding path of the service. It will overwrite the existing driver if necessary. The hijacked service is then
set to start automatically. This is how the malware is able to survive after a reboot. By doing this, the gang may be hoping that their malicious driver will be overlooked by administrators or investigators who are so used to seeing
those legitimate services.
The only component that will remain permanently on the infected system will be the driver component. The driver component used by the gang is a stripped down version of the BlackEnergy 2 driver.
The sole purpose of this driver component is to inject the main DLL component into svchost.exe. Interestingly, it does not contain the rootkit functionalities for hiding processes, files and registry objects that is found in the usual BlackEnergy 2 drivers. The gang may have opted for a 'hide in plain sight' approach to evade detections from rootkit scanners, such as GMER and RootkitRevealer, that checks for system anomalies.
The driver component provides a IOCTL interface to communicate with the main DLL component. The command codes that can be passed to the IOCTL buffer. The 32-bit version contains additional, incomplete routines for hiding processes via
direct kernel object manipulation (DKOM) and managing BlackEnergy 2 rootkit rules in memory.
MAIN DLL COMPONENT
The core functionality of BlackEnergy 2 is found in the main DLL component. This component is embedded inside the driver component and is not found in the file system; this is to reduce the infection footprint on the system.
The main DLL provides a robust framework for attackers to maintain a botnet that is not tied to any specific functionality. The malware is designed to be used by loading customized plugins depending on the purpose of the botmaster. It is mainly a framework for plugins to communicate with a central command and control.
Otherwise, the main DLL only provides a minimal set of commands. Table 3 (above) summarizes the commands supported by the variants used in the attack against Ukrainian government organizations.
In BlackEnergy 2, the main DLL component communicates with its plugins via a defined set of API calls. It exports a number of function calls, which can be used by the plugins. On the other hand, plugins are required to export
2 functions to work. We highly recommend the research of Dell SecureWorks for those looking for more details regarding the BlackEnergy 2 plugin framework.
BLACKENERGY 3
In contrast to previous variants, BlackEnergy 3 uses a simpler installer component. It does not have a driver component and the installer drops the main DLL component directly to the local application data (nonroaming) folder. The installer then creates a LNK file in the startup folder, using a filename generated based on the volume serial number as a launch point. The LNK file is a
shortcut to execute the main DLL using rundll32.exe.
BlackEnergy 3 also uses a different method of communication with its plugins, as it now communicates via RPC over the named-pipe protocol (ncacn_np).
INFORMATION-STEALING PLUGIN
Since the main DLL component offers little clue as to what the malware was used for, we need to look at the plugin to determine the objective of the gang.
One particular plugin that was used in the campaign was called "si", perhaps to mean 'steal information'. The latest sample we found will attempt to gather the following information and send them to the C&C server:
- System configuration information (gathered via systeminfo.exe)
- Operating system version
- Privileges
- Current time
- Up time
- Idle Time
- Proxy
- Installed apps (gathered from uninstall program registry)
- Process list (gathered via tasklist.exe)
- IP configurations (gathered via ipconfig.exe)
- Network connections (gathered via netstat.exe)
- Routing tables (gathered via route.exe)
- Traceroute and Ping information to Google (gathered via tracert.exe and ping.exe)
- Registered mail, browser, and instant messaging clients (gathered via client registry)
- Account and password information from The Bat! email client (gathered from account.cfn and account.cfg)
- Stored username and passwords in Mozilla password manager of the following applications (gathered from signons*.txt and signons.sqlite)
- Thunderbird
- Firefox
- SeaMonkey
- IceDragon
- Stored username and passwords in Google Chrome password manager of the following applications (gathered from "Login Data")
- Google Chrome
- Chromium
- Comodo Dragon
- Xpom
- Nichrome
- QIP Surf
- Torch
- YandexBrowser
- Opera
- Sleipnir
- Account and password information from Outlook and Outlook Express
- Internet Explorer version and stored username and passwords
- Stored username and passwords in Windows Credential Store
- Live
- Remote Desktop
- Other generic credentials (Microsoft_WinInet_*)
The nature of the information being gathered seems to be generic rather than targeted. This may be because the malware has roots from crimeware. The information is still useful however as such data makes it easier for the gang
to plan any further attacks on the same targets.
CONCLUSIONS
BlackEnergy is a toolkit that has been used for years by various criminal outfits. In the summer of 2014, we noted that certain samples of BlackEnergy malware began targeting Ukranian government organizations for information harvesting. These samples were identified as being the work of one group, referred to in this document as "Quedagh", which has a history of targeting political organizations. Though inconclusive, suggestive details indicate that BlackEnergy malware, possibly also from this gang, may also have been used in the Russo-Georgian confrontation in 2008.
The Quedagh-customizations to the BlackEnergy malware include support for proxy servers (which, in the samples examined are associated with Ukrainian entities) and use of techniques to bypass User Account Control and driver signing features in 64-bit Windows systems. While monitoring BlackEnergy samples, we also encountered a new variant, which we dub BlackEnergy 3, with a modified
configuration, no driver component and a different installation procedure.
The use of BlackEnergy for a politically-oriented attack is an intriguing convergence of criminal activity and espionage. As the kit is being used by multiple groups, it provides a greater measure of plausible deniability than is
afforded by a custom-made piece of code.Last update 03 April 2015