In late December, a cyberattack caused a power outage in the Ukraine, plunging hundreds of thousands of citizens into darkness for hours. Threat researchers soon confirmed that the BlackEnergy malware package, first developed in 2007, was the culprit. They also discovered that the malware has been significantly upgraded since its first release.
The initial BlackEnergy was a simple Trojan with distributed denial of service capabilities. Since then, there have been two upgrades.
In 2010, BlackEnergy 2 appeared. In that development cycle, the authors completely rewrote the code and began to incorporate a more professional approach. For example, they implemented a rudimentary installer that made it simpler to use BlackEnergy.
With the growth in BlackEnergy 2’s popularity, the authors decided that they needed to add additional features and provide BlackEnergy with a more modular framework. In 2011, they added UAC bypass installers. This method allowed BlackEnergy 2 to gain elevated code execution privileges using the framework Microsoft provides to help legacy applications work with newer versions of Windows. One of BlackEnergy 2’s most impressive features was released in 2013 with the support of 64-bit drivers.
In the second quarter of 2014, F-Secure was the first to report a new variant of BlackEnergy. This variant no longer uses many of the features of BlackEnergy 2.
Each major release has seen an almost complete rewrite of the code. BlackEnergy 3 has more advanced features than its predecessors and is more cleanly developed. The new release does not have a driver, the build ID format is a timestamp, and it has many advanced protection mechanisms. These internal protections include defenses against virtual environments, antidebugging methods, and continued checks throughout the code that will kill the program if it detects other security functions or countermeasures. What stands out about Black Energy 3 are the variety of plug-ins it incorporates:
BlackEnergy 3 plug-ins*:
- fs.dll — File system operations
- si.dll — System information, “BlackEnergy Lite”
- jn.dll — Parasitic infector
- ki.dll — Keylogger
- ps.dll — Password stealer
- ss.dll — Screenshots
- vs.dll — Network discovery, remote execution
- tv.dll — Team viewer
- rd.dll — Simple pseudo “remote desktop”
- up.dll — Update malware
- dc.dll — List Windows accounts
- bs.dll — Query system hardware, BIOS, and Windows info
- dstr.dll — Destroy system
- scan.dll — Network scan
These plug-ins are critical and powerful features in BlackEnergy 3 that make it a “go-to” tool for both crimeware and state-sponsored actors.
The Ukrainian critical infrastructure attack was initially seen as politically driven. Indeed, the use of BlackEnergy 3 could well be a cover for a targeted manual attack in an effort to disrupt availability. However, at this point in the analysis, attributing the attack to a group or actor is premature.
Based on its functionality, BlackEnergy 3 could certainly be used by state-sponsored groups as it allows these actors to hide among other crimeware groups known to use BlackEnergy variants. Tradecraft is often shared and many actors like to impersonate other actors in efforts to hide their true affiliations and sponsorships.
This is in stark contrast to Stuxnet, which first captured headlines in 2010. Examination of the Stuxnet code by threat researchers revealed that the authors needed unique domain knowledge to execute it in a specific environment and that only state-sponsored groups likely had the insight and capability to create this malicious piece of code.
At the end of this post you will find all of the MD5 hashes associated with BlackEnergy in 2015. Intel Security products provide full coverage for all hashes listed.
Several of the malicious binaries used in these attacks contain fake Microsoft digital certificates. The process of code signing is used to authenticate the software’s author and guarantee that the code has not been altered or corrupted since it was signed. Faking the code signing process reduces trust in this system and is indicative of a higher level of adversary involvement. Such techniques have been used by many actors and advanced-threat groups, but it is still too early to attribute this attack to any group or actor.
We would like to thank Intel Security’s Advanced Programs Group for their support in the development of this analysis.
MD5 hashes associated with BlackEnergy 3 in 2015:
Binaries allegedly associated with Ukraine attack:
Other BlackEnergy binaries:
BlackEnergy 3 IP addresses: