BlackEnergy Lite aims at Ukraine and Poland
Recently, a large number of organizations and private companies from various industries in Ukraine and Poland have become victims of targeted attacks using various malicious programs. These malicious programs were used to gain access to the internal networks of companies, as well as to collect data from hard drives of compromised computers.
An interesting fact is that the attackers used a new modification of the BlackEnergy Trojan in these malicious campaigns. Today BlackEnergy is a family of malicious programs with a rich history and various mechanisms for distributing and installing its body on users' computers. The first detailed analysis of BlackEnergy was published by Arbor Networks back in 2007.
')
Initially, BlackEnergy was conceived as a relatively simple DDoS bot, but then turned into a complex malware with a modular architecture that began to specialize in spamming, online banking fraudulent operations and began to be used by attackers for targeted attacks. The second version of this malware contained a rootkit component and was documented by Dell SecureWorks in 2010. The targeted attacks found prove that BlackEnergy is still a popular tool for cybercriminals.
While the widespread modifications of BlackEnergy are still active in-the-wild, we have discovered new variations of it that are easy to distinguish from its “older brothers”. These modifications are called BlackEnergy Lite and they lack the component of the kernel mode driver (rootkit), and the plugins support is significantly limited. The name “Light” is contained in the name of one of the malware dlls, as shown in the screenshot below.
Fig. Export directory for the malware component main_light.dll.
You should also pay attention to the fact that the popular versions of BlackEnergy that were detected this year used the kernel mode driver (rootkit) only for the purpose of introducing payload code into user mode processes and the rootkit itself did not contain the ability to hide objects in the system. At the same time, the Light version of BlackEnergy does not use the driver at all. Instead, the main DLL is loaded into the system by simply loading it through rundll32.exe. This feature has already been described previously by F-Secure experts here . There are also other differences between BlackEnergy and BlackEnergy Lite, they relate to the device plug-ins, their storage format and configuration data format.
The BlackEnergy family of malware has been used by attackers to accomplish many goals throughout its history, including DDoS attacks, spamming, and bank fraud. Both modifications of the malware and BlackEnergy and BlackEnergy Lite were used by attackers in targeted attacks. The plugins used by the malware are designed to distribute their code on the internal network and collect data from the hard drives of compromised computers.
We have observed more than one hundred specific victims of the BlackEnergy propaganda campaigns during the tracking period of the botnet. Approximately half of these victims are located in Ukraine and as many in Poland. These victims are government agencies, as well as various other businesses. Campaigns to spread this malware, which we observed, used various infection vectors, including the exploitation of vulnerabilities in the OS, social engineering methods through phishing emails, as well as fake Office documents.
In April, we discovered a malicious Office document (exploit) that exploits the CVE-2014-1761 vulnerability in Microsoft Word. This exploit has also been seen in other attacks, including Miniduke . In case of successful operation, the exploit shellcode resets two files to the temporary files directory: the WinWord.exe exploit payload executable file and a fake document called “Russian ambassadors to conquer world.doc”. The executable file is responsible for extracting and executing the BlackEnergy Lite dropper. A fake document contains the text that is displayed to the user (shown below in the screenshot).
We also observed another malicious document that exploited the CVE-2014-1761 vulnerability . The theme of this fake document is different from the previous one and refers to the GlobSEC forum, which was held in Bratislava this year.
A month later, in May, we discovered another malicious file that was used by attackers to install BlackEnergy Lite into the system. This executable file did not contain any exploits, but was simply disguised as an MS Word document with the name “password list” in the Ukrainian language.
Despite the fact that the file was executable, it contained in its body a document with a list of standard passwords, part of this document is shown below in the screenshot.
Later BlackEnergy Lite distribution campaigns were active in August and September, according to our ESET LiveGrid statistics. In several instances of the spread of a malicious program, we observed the use of a PowerPoint document prepared by a specially crafted document, exploits for Java, as well as Team Viewer software.
An interesting fact is that the attackers used a new modification of the BlackEnergy Trojan in these malicious campaigns. Today BlackEnergy is a family of malicious programs with a rich history and various mechanisms for distributing and installing its body on users' computers. The first detailed analysis of BlackEnergy was published by Arbor Networks back in 2007.
')
Initially, BlackEnergy was conceived as a relatively simple DDoS bot, but then turned into a complex malware with a modular architecture that began to specialize in spamming, online banking fraudulent operations and began to be used by attackers for targeted attacks. The second version of this malware contained a rootkit component and was documented by Dell SecureWorks in 2010. The targeted attacks found prove that BlackEnergy is still a popular tool for cybercriminals.
While the widespread modifications of BlackEnergy are still active in-the-wild, we have discovered new variations of it that are easy to distinguish from its “older brothers”. These modifications are called BlackEnergy Lite and they lack the component of the kernel mode driver (rootkit), and the plugins support is significantly limited. The name “Light” is contained in the name of one of the malware dlls, as shown in the screenshot below.
Fig. Export directory for the malware component main_light.dll.
You should also pay attention to the fact that the popular versions of BlackEnergy that were detected this year used the kernel mode driver (rootkit) only for the purpose of introducing payload code into user mode processes and the rootkit itself did not contain the ability to hide objects in the system. At the same time, the Light version of BlackEnergy does not use the driver at all. Instead, the main DLL is loaded into the system by simply loading it through rundll32.exe. This feature has already been described previously by F-Secure experts here . There are also other differences between BlackEnergy and BlackEnergy Lite, they relate to the device plug-ins, their storage format and configuration data format.
The BlackEnergy family of malware has been used by attackers to accomplish many goals throughout its history, including DDoS attacks, spamming, and bank fraud. Both modifications of the malware and BlackEnergy and BlackEnergy Lite were used by attackers in targeted attacks. The plugins used by the malware are designed to distribute their code on the internal network and collect data from the hard drives of compromised computers.
We have observed more than one hundred specific victims of the BlackEnergy propaganda campaigns during the tracking period of the botnet. Approximately half of these victims are located in Ukraine and as many in Poland. These victims are government agencies, as well as various other businesses. Campaigns to spread this malware, which we observed, used various infection vectors, including the exploitation of vulnerabilities in the OS, social engineering methods through phishing emails, as well as fake Office documents.
In April, we discovered a malicious Office document (exploit) that exploits the CVE-2014-1761 vulnerability in Microsoft Word. This exploit has also been seen in other attacks, including Miniduke . In case of successful operation, the exploit shellcode resets two files to the temporary files directory: the WinWord.exe exploit payload executable file and a fake document called “Russian ambassadors to conquer world.doc”. The executable file is responsible for extracting and executing the BlackEnergy Lite dropper. A fake document contains the text that is displayed to the user (shown below in the screenshot).
We also observed another malicious document that exploited the CVE-2014-1761 vulnerability . The theme of this fake document is different from the previous one and refers to the GlobSEC forum, which was held in Bratislava this year.
A month later, in May, we discovered another malicious file that was used by attackers to install BlackEnergy Lite into the system. This executable file did not contain any exploits, but was simply disguised as an MS Word document with the name “password list” in the Ukrainian language.
Despite the fact that the file was executable, it contained in its body a document with a list of standard passwords, part of this document is shown below in the screenshot.
Later BlackEnergy Lite distribution campaigns were active in August and September, according to our ESET LiveGrid statistics. In several instances of the spread of a malicious program, we observed the use of a PowerPoint document prepared by a specially crafted document, exploits for Java, as well as Team Viewer software.
Source: https://habr.com/ru/post/239001/
All Articles