Russia's BlackEnergy malware targets Brussels, Poland and Ukraine

Ongoing Russian malware attacks on Poland, Ukraine and Brussels (in Belgium) are aimed at discovering secrets not cash, and could be from criminal groups rather than a state-sponsored actor.

The European Commission
The European Commission

A new ‘Lite' version of the BlackEnergy malware – notorious since it was used to cyber-attack the country of Georgia during the 2008 Russia/Georgia conflict -– has been found by security firm ESET targeting more than 100 government and industry organisations in Poland and the Ukraine.

Meanwhile, Finnish security firm F-Secure has identified another recent BlackEnergy attack on a target in Brussels, Belgium.

ESET malware researcher Robert Lipovsky said in a 22 September blog that the botnet-based BlackEnergy has now moved from its roots in DDoS attacks, spam distribution and bank fraud, to targeted attacks on state organisations and private companies across a range of industries.

These campaigns have been launched throughout 2014 and are still continuing this month.

“We have observed more than 100 individual victims of these campaigns during our monitoring of the botnets,” Lipovsky said. “Approximately half of these victims are situated in Ukraine and half in Poland, and include several state organisations, various businesses, as well as targets which we were unable to identify.”

His exposure of BlackEnergy follows just days after F-Secure revealed more Russian espionage malware, CosmicDuke, attacking companies using the lure of a document about last week's Scottish independence vote, with the most likely targets being UK oil companies and related contractors.

F-Secure security adviser Sean Sullivan said it has also been tracking BlackEnergy - and confirmed F-Secure has seen one sample of BlackEnergy submitted from a target in Brussels, suggesting a possible breach in the European Parliament or European Commission.

ESET has dubbed the Russian malware's latest incarnation as BlackEnergy ‘Lite' because it is a cheaper, stripped-down version which omits a kernel mode driver and no longer contains rootkit functionality used for hiding the malware.

Despite its reduced ability to conceal itself, ESET says the Lite code is still infecting organisations using either software vulnerabilities, social engineering through spear-phishing emails and decoy documents, or a combination of the two.

“The omission of the kernel mode driver may appear as a step back in terms of malware complexity, however it is a growing trend in the malware landscape nowadays,” Lipovsky said.

The reason could be technical obstacles that rootkit developers now face, or “the simple fact that it is difficult and expensive to develop such malware”.

He added: “Also, any bugs in the code have a bad habit of blue-screening the system - possibly even raising suspicion of the presence of malicious code rather than hiding it in the system.”

BlackEnergy Lite is being used for network discovery and remote code execution, and for collecting data from the targets' hard drives, ESET said.

“What makes these attacks interesting – aside from the tense current geopolitical situation in the region – is the various distribution mechanisms used to get the malware onto the victims' computers,” Lipovsky said.

One attack in April used a decoy document named ‘Russian ambassadors to conquer world', exploiting the CVE-2014-1761 vulnerability in Microsoft Word. Another in May used no exploit but simply dropped an executable file with a Word icon.

ESET said further campaigns in August and September used specially crafted PowerPoint documents, unidentified Java vulnerabilities, and the remote control software Team Viewer.

F-Secure's Sullivan told SCMagazine UK.com that the onset of BlackEnergy, CosmicDuke and earlier Havex malware represents a “surge” in Russian malware, adding: “A lot of that growth is being spearheaded by this particular target of industrial espionage - guys that were interested in stealing credit cards are now interested in stealing trade secrets.”

Sullivan said that, compared to CosmicDuke, the BlackEnergy campaigns “might be a little less profit-motivated and more patriotically motivated”. But it may not be Russian nation-state hackers. “It could be useful idiots,” Sullivan told us, “patriotic Russians hacking stuff for the sake of greater Russia.”

Sullivan also said the apparent lack of concealment features in BE Lite may not hold it back.

“BlackEnergy Lite may be more easily found if you have current security solutions,” he told SC. “I think Lite is probably easy to detect in the lab environment. Unfortunately a lot of organisations still use very static, passive technology because they're maintaining a firewall.

“It's a big problem for business. Organisations that have an IT manager with a firewall he's maintaining - they're trying to fight it with one hand tied behind their back and wearing a blindfold.”

ESET researcher Peter Kosinar agreed, telling SCMagazineUK.com via email: “Being ‘lite' does not mean it's dumbed down - it's been reduced to the necessary functionality without all the bells and whistles which are not necessary. As such, it's easier to maintain and develop further, so it might be an expected step in its evolution.

“Regular people would not notice the malware, be it ‘Lite' or not - unlike banking Trojans, BE does not have visible effects which could be spotted by the user.”

Both F-Secure and ESET have said they will publish more data on BlackEnergy later this week.