BlackEnergy malware destroys PC data
BlackEnergy malware has been around for several years now; its target of choice in that time has been Industrial Control Systems (ICS), particularly those used in the energy sector (hence the name). This week Kaspersky lab released a report into the latest incarnation of BlackEnergy.
BlackEnergy now has extra capabilities provided by plug-ins; these capabilities include stealing login credentials, port scanning, remote access and removal of data from a hard disk drive. The attackers can adapt their attack by downloading specific plug-ins onto the victim PC. BlackEnergy is designed to run on either Windows or Linux platforms.
The report looks at four cases of BlackEnergy infestation. In the first case, the malware was installed via a spear phishing campaign. Spear phishing is a targeted phishing campaign, where emails are sent to specific persons in an organisation. This is opposed to normal phishing, which is often a blanket flood of spam emails.
Targeted individuals within the organisation were sent an email with a .zip attachment. The .zip attachment contained an executable, which, if opened and run, installed BlackEnergy (or more specifically, BlackEnergy2) on the victim PC. When the attackers realised they had been discovered they launched the dstr module. The dstr module has the ability to wipe data on a victim PC. According to the report, “Some machines already launched the plug-in, lost their data and became unbootable”.
Case two in the report was caused by case one. The attackers were able to steal VPN credentials from the first organisation and use these to break into the second organisation. The second organisation, on investigation, found that data on several PCs had been destroyed, and that their Cisco routers had been hacked. Attackers also left a vulgar farewell message on the Cisco routers. The third case again involved a phishing email attack, whilst the fourth case appeared to involve compromised downloaded software.
In looking at the four cases, three of them were either directly or indirectly the result of phishing attacks. Unfortunately, phishing emails are difficult to detect. Our advice is to check the veracity of emailed attachments and to do the same for links in an email. Ensure all your software is up to date and use an email filtering solution.