Destructive BlackEnergy Attacks Blitz Ukrainian News and Energy Firms

Destructive BlackEnergy Attacks Blitz Ukrainian News and Energy Firms

The team behind the infamous BlackEnergy malware have been busy in 2015 launching destructive attacks against Ukrainian media and energy companies, according to researchers.

Eset’s Anton Cherepanov explained in a blog post yesterday that the group were spotted last year using a new component detected as Win32/KillDisk.NBB, Win32/KillDisk.NBC and Win32/KillDisk.NBD trojan variants.

Its job is to overwrite documents with random data and to make a victim OS unbootable, he added.

In one instance, it destroyed a large number of video files and documents at various Ukrainian news organizations in a November attack during the local elections, according to the CERT-UA.

The malware component is designed to destroy more than 4,000 separate file extension types.

A separate version spotted in attacks on energy companies was refined to target just 35 file types. New features mean it can now be programmed with a specific time delay, and used to delete Windows Event Logs: Application, Security, Setup, System.

“As well as being able to delete system files to make the system unbootable—functionality typical for such destructive trojans—the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems,” explained Cherepanov.

The researchers also found a new SSH backdoor being used to infect systems.

BlackEnergy malware dates back to 2007, when it was discovered as a relatively simple DDoS trojan. However, it emerged a few years later as a sophisticated malware family with modular architecture, used in everything from targeted attacks to banking fraud.

A BlackEnergy Lite version was discovered last year targeting over 100 organizations in Poland, Ukraine and elsewhere.

And the US ICS-CERT warned in October of a three-year campaign using the malware, aimed at industrial control systems.

Although the attackers are thought to be Russian speakers, attribution to state-sponsored activity has been resisted by security researchers.

Photo © Maximus256

Source: Information Security Magazine