BlackEnergy

BlackEnergy is a popular crimeware that has been sold on the Russian black market since 2007. Their original purpose was to set up botnets , i.e. networked and distributed computer programs, to carry out so-called Distributed Denial of Service (DDoS) attacks. Over time, the malware has evolved and now supports various plugins that expand functionality depending on the purpose of the attack. The possible use thus ranges from the sending of spam to the stealing of bank access data to the systematic, long-term planned attack on political goals.

A prominent use was possibly in cyberattacks during the Russian-Georgian confrontation in 2008. In the summer of 2014, the software attracted attention in the context of attacks on facilities of the Ukrainian government. It was also linked to a blackout lasting several hours due to the collapse of several Ukrainian distribution networks on December 23, 2015. Shortly after the event, Ukrainian government officials alleged that the outages were caused by a cyber attack and blamed Russian intelligence.

Particularly in the case of attacks on political targets, the crimeware appears several times in the context of an advance persistent thread (APT) , i. H. as part of a long-term planned, targeted attack with considerable resources. Covert operations of this kind should not be able to be assigned to the causer even afterwards. Nothing fulfills this criterion as well as a common crimeware with a wide range of uses.

Structure of the malware

The BlackEnergy Toolkit includes a builder application that is used to create clients that the attackers use to infect victims' machines. It also contains server-side scripts that the attackers set up in the Command & Control Server (C&C). The scripts also provide an interface through which the attacker can control his bots. The simplicity and usability of the toolkit ensures that a botnet can be created with almost no technical knowledge. The original BlackEnergy Toolkit came out in 2007 and is referred to as BlackEnergy1 in a whitepaper by the security company F-Secure, later versions with a different configuration are referenced as BlackEnergy2 and BlackEnergy3.

The main functionality of BlackEnergy2 can be found in a DLL component. This component is embedded in a driver component and is not in the file system in order to avoid traces of the infection on the system. The DLL component provides the attackers with a robust infrastructure to maintain a botnet that is not limited to a specific functionality. Rather, the malware is designed to load specialized plugins depending on the attacker's purpose. A minimal selection of commands is offered:

Load binary and execute
Execute a shell command
Uninstall
Load plugin
Stop driver (restart on reboot)
Set active command and control server

Individual evidence

↑ ^a ^b ^c ^d ^e ^f BLACKENERGY & QUEDAGH The convergence of crimeware and APT attacks. F-Secure, accessed November 7, 2016 .
^ ^A ^b Analysis of the Cyber Attack on the Ukrainian Power Grid. E-ISAC_SANS_Ukraine, accessed on November 7, 2016 (English).

[:0-1] ↑ ^a ^b ^c ^d ^e ^f BLACKENERGY & QUEDAGH The convergence of crimeware and APT attacks. F-Secure, accessed November 7, 2016 .

[:1-2] A ^b Analysis of the Cyber Attack on the Ukrainian Power Grid. E-ISAC_SANS_Ukraine, accessed on November 7, 2016 (English).