Description: A large number of state organizations and businesses from various industry fields in the Ukraine and Poland have been targeted in recent attacks. What would otherwise be a mundane scenario in today's world of cybercrime is spiced up by the fact that the malware-spreading campaigns have leveraged the tense current geopolitical situation in Eastern Ukraine and the use of a malware family with a rich history. The most recent campaigns are dated August 2014.
BlackEnergy is a trojan which has undergone significant functional changes since it was first publicly analysed by Arbor Networks in 2007. It has evolved from a relatively simple DDoS trojan into a relatively sophisticated piece of modern malware with a modular architecture, making it a suitable tool for sending spam and for online bank fraud, as well as for targeted attacks. BlackEnergy version 2, which featured rootkit techniques, was documented by SecureWorks in 2010. The targeted attacks recently discovered are proof that the trojan is still alive and kicking in 2014.
We provide a technical analysis of the BlackEnergy family, focusing on novel functionality and the differences introduced by new 'lite' variants. We describe the most notable aspects of the malware, including its techniques for bypassing UAC, defeating the signed driver requirement in Windows and a selection of BlackEnergy2 plug-ins used for parasitic file infections, network discovery and remote code execution and data collection.
The many targets in the Ukraine and Poland have been infected through several known and unknown infection vectors. The most effective ones appear to be spear-phishing emails with subjects related to the current Ukrainian crisis combined with the exploitation of MS Office documents. CVE-2014-1761, which made the headlines earlier this year, was also used to spread BlackEnergy.
Apart from sharing our most noteworthy findings, we aim to pose some questions that warrant further research.
For More information please visit: - https://www.virusbtn.com/index
Tags:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.