A few months ago, I requested an online quote for some home repairs. The recipient was a very well-known company here in US. The service I got actually was very good. Under my explicit approval the company kept my email address and has been sending me several promotions that I had signed up to.
However, the latest one was unusual - it arrived with at least 20 recipients explicitly exposed including my full email address in the list.
Cybercriminals and other threat actors also have normal lives - they shop at the same places we do, they eat the same food we eat, and they hire the same services we do. So, imagine what happens when a malicious actor receives one of these emails! It's a perfect source of information for spearphishing attacks.
I say this because the attacker would have enough information to know the potential victims are customers or potential customers of that particular brand, knowing the benefits of abusing the brand to launch attacks in the name of that store.
Since the advertisement I get is customized, meaning it refers to a very specific part of town, then the attacker would also know his victims live in a particular city. This also brings a lot of advantages when preparing the attack.
Finally, the attacker even knows how the store legitimately promotes their services. And I mean which format the store uses:
In my case, I got a PDF file attachment. So, in case the attacker launches a spear phishing campaign with a malicious file, the victims wouldn't suspect anything malicious since nothing is out of the ordinary.
So who might abuse this technique and what can we do about it?
The most likely actor would be a classic cyber-criminal. However, any threat actor in need can resort to the same scheme.
What is the best practice when you get such advertisement emails? I prefer to use online viewers, embedded into many modern Webmail providers. Instead of downloading the file to the disk and then opening it locally, you can visualize it online:
So in case of any local app exploit, let's say for Adobe Reader, the exploit won't work and you will still be able to read the document.
Certainly leaks like the aforementioned, despite not being particularly big, definitely expose people to become victims of new spear-phishing campaigns.
You may follow me on twitter: @dimitribest
The BlackEnergy malware is crimeware turned APT tool and is used in significant geopolitical operations lightly documented over the past year. An even more interesting part of the BlackEnergy story is the relatively unknown custom plugin capabilities to attack ARM and MIPS platforms, scripts for Cisco network devices, destructive plugins, a certificate stealer and more. Here, we present available data - it is difficult to collect on this APT. We will also present more details on targets previously unavailable and present related victim profile data.
These attackers are careful to hide and defend their long-term presence within compromised environments. The malware's previously undescribed breadth means attackers present new technical challenges in unusual environments, including SCADA networks. Challenges, like mitigating the attackers' lateral movement across compromised network routers, may take an organization's defenders far beyond their standard routine and out of their comfort zone.Brief History
BlackEnergy2 and BlackEnergy3 are known tools. Initially, cybercriminals used BlackEnergy custom plugins for launching DDoS attacks. There are no indications of how many groups possess this tool. BlackEnergy2 was eventually seen downloading more crimeware plugins - a custom spam plugin and a banking information stealer custom plugin. Over time, BlackEnergy2 was assumed into the toolset of the BE2/Sandworm actor. While another crimeware group continues to use BlackEnergy to launch DDoS attacks, the BE2 APT appears to have used this tool exclusively throughout 2014 at victim sites and included custom plugins and scripts of their own. To be clear, our name for this actor has been the BE2 APT, while it has been called "Sandworm Team" also.The Plugins and Config Files
Before evidence of BlackEnergy2 use in targeted attacks was uncovered, we tracked strange activity on one of the BlackEnergy CnC servers in 2013. This strangeness was related to values listed in newer BlackEnergy configuration files. As described in Dmitry's 2010 Black DDoS' analysis, a configuration file is downloaded from the server by main.dll on an infected system. The config file provides download instructions for the loader. It also instructs the loader to pass certain commands to the plugins. In this particular case in 2013, the config file included an unknown plugin set, aside from the usual 'ddos' plugin listing. Displayed below are these new, xml formatted plugin names "weap_hwi", "ps", and "vsnet" in a BlackEnergy configuration file download from a c2 server. This new module push must have been among the first for this group, because all of the module versions were listed as "version 1", including the ddos plugin:
Config downloaded from BE2 server
The 'ps' plugin turned out to be password stealer. The 'vsnet' plugin was intended to spread and launch a payload (BlackEnergy2 dropper itself at the moment) in the local network by using PsExec, as well as gaining primary information on the user's computer and network.
Most surprising was the 'weap_hwi' plugin. It was a ddos tool compiled to run on ARM systems:
At first, we didn't know whether the ARM plugin was listed intentionally or by mistake, so we proceeded to collect the CnC's config files. After pulling multiple config files, we confirmed that this ARM object inclusion was not a one-off mistake. The server definitely delivered config files not only for Windows, but also for the ARM/MIPS platform. Though unusual, the ARM module was delivered by the same server and it processed the same config file.Linux plugins
Over time we were able to collect several plugins as well as the main module for ARM and MIPS architectures. All of these ARM/MIPS object files were compiled from the same source and later pushed out in one config: "weap_msl", "weap_mps", "nm_hwi", "nm_mps", "weap_hwi", and "nm_msl". It's interesting that the BE2 developers upgraded the ddos plugin to version 2, along with the nm_hwi, nm_mps, and nm_msl plugins. They simultaneously released version 5 of the weap_msl, weap_mps, and weap_hmi plugins. Those assignments were not likely arbitrary, as this group had developed BlackEnergy2 for several years in a professional and organized style:
Config with a similar set of plugins for different architectures
Here is the list of retrieved files and related functionality:weap DDoS Attack (various types) ps password stealer handling a variety of network protocols (SMTP, POP3, IMAP, HTTP, FTP, Telnet) nm scans ports, stores banners snif logs IP source and destination, TCP/UDP ports hook main module: CnC communication, config parser, plugins loader uper rewrites hook module with a new version and launches it
Weap, Snif, Nm plugin grammar mistakes and mis-spellings
The developers' coding style differed across the 'Hook' main module, the plugins, and the Windows main.dll. The hook main module contained encrypted strings and handled all the function calls and strings as the references in a large structure. This structure obfuscation may be a rewrite effort to better modularize the code, but could also be intended to complicate analysis. Regardless, it is likely that different individuals coded the different plugins. So, the BE2 effort must have its own small team of plugin and multiplatform developers.
Hook module structure
After decrypting the strings, it became clear that the Linux Hook main module communicated with the same CnC server as other Windows modules:
The CNC's IP address in the Linux module
This Linux module can process the following commands, some of which are similar to the Windows version:die
delete all BlackEnergy2 files and system traces kill
delete all BlackEnergy2 files and system traces and reboot lexec
launch a command using bin/sh rexec
download and launch file using 'fork/exec' update
rewrite self file migrate
update the CnC server Windows Plugins
After the disclosure of an unusual CnC server that pushed Linux and the new Windows plugins we paid greater attention to new BE2 samples and associated CnCs.
During an extended period, we were able to collect many Windows plugins from different CnC servers, without ever noticing Linux plugins being downloaded as described above. It appears the BE2/SandWorm gang protected their servers by keeping their non-Windows hacker tools and plugins in separate servers or server folders. Finally, each CnC server hosts a different set of plugins, meaning that each server works with different victims and uses plugins based on its current needs. Here is the summary list of all known plugins at the moment:fs searches for given file types, gets primary system and network information ps password stealer from various sources ss makes screenshots vsnet spreads payload in the local network (uses psexec, accesses admin shares), gets primary system and network information rd remote desktop scan scans ports of a given host grc backup channel via plus.google.com jn file infector (local, shares, removable devices) with the given payload downloaded from CnC cert certificate stealer sn logs traffic, extracts login-passwords from different protocol (HTTP, LDAP, FTP, POP3, IMAP, Telnet ) tv sets password hash in the registry for TeamViewer prx Proxy server dstr Destroys hard disk by overwriting with random data (on application level and driver level) at a certain time kl keylogger upd BE2 service file updater usb gathers information on connected USBs (Device instance ID, drive geometry) bios gathers information on BIOS, motherboard, processor, OS
We are pretty sure that our list of BE2 tools is not complete. For example, we have yet to obtain the router access plugin, but we are confident that it exists. Evidence also supports the hypothesis that there is a decryption plugin for victim files (see below).
Our current collection represents the BE2 attackers' capabilities quite well. Some plugins remain mysterious and their purpose is not yet clear, like 'usb' and 'bios'. Why would the attackers need information on usb and bios characteristics? It suggests that based on a specific USB and BIOS devices, the attackers may upload specific plugins to carry out additional actions. Perhaps destructive, perhaps to further infect devices. We don't know yet.
It's also interesting to point out another plugin – 'grc'. In some of the BE2 configuration files, we can notice an value with a "gid" type:
The addr number in the config
This number is an ID for the plus.google.com service and is used by the 'grc' plugin to parse html. It then downloads and decrypts a PNG file. The decrypted PNG is supposed to contain a new CNC address, but we never observed one. We are aware of two related GooglePlus IDs. The first one, plus.google.com/115125387226417117030/, contains an abnormal number of views. At the time of writing, the count is 75 million:
BE2 plus profile
The second one - plus.google.com/116769597454024178039/posts - is currently more modest at a little over 5,000 views. All of that account's posts are deleted.Tracked Commands
During observation of the described above "router-PC" CnC we tracked the following commands delivered in the config file before the server went offline. Our observation of related actions here:u ps start password stealing (Windows) Ps_mps/ps_hwi start start password stealing (Linux, MIPS, ARM) uper_mps/uper_hwi start rewrite hook module with a new version and launch it (Linux, MIPS, ARM) Nm_mps/nm_hwi start –ban -middle Scan ports and retrieve banners on the router subnet (Linux, MIPS, ARM) U fsget * 7 *.docx, *.pdf, *.doc * search for docs with the given filetypes (Windows) S sinfo retrieve information on installed programs and launch commands: systeminfo, tasklist, ipconfig, netstat, route table, trace route to google.com (Windows) weap_mps/weap_hwi host184.108.40.206 port[25,26,110,465,995] typetcpconnect DDoS on 220.127.116.11 (Linux, MIPS, ARM) weap_mps/weap_hwi typesynflood port80 cnt100000 spdmedium host18.104.22.168 DDoS on 22.214.171.124 (Linux, MIPS, ARM)
The issued commands for the Linux plugins suggest the attackers controlled infected MIPS/ARM devices. We want to pay special attention to the DDoS commands meant for these routers. 126.96.36.199 belongs to the Russian Ministry of Defense and 188.8.131.52 belongs to the Turkish Ministry of Interior's government site. While many researchers suspect a Russian actor is behind BE2, judging by their tracked activities and the victim profiles, it's still unclear whose interests they represent.
While observing some other CnCs and pulling down config files, we stumbled upon some strange mistakes and mis-typing. They are highlighted in the image below:
BE2 config file mistakes
First, these mistakes suggest that the BE2 attackers manually edit these config files. Secondly, it shows that even skilled hackers make mistakes.Hard-Coded Command and Control
The contents of the config files themselves are fairly interesting. They all contain a callback c2 with a hardcoded ip address, some contain timeouts, and some contain the commands listed above. We include a list of observed hardcoded ip C2 addresses here, along with the address owner and geophysical location of the host:C2 IP address Owner Country 184.108.40.206 hostnoc.net US 220.127.116.11 Leaseweb NL 18.104.22.168 Leaseweb NL 22.214.171.124 Leaseweb NL 126.96.36.199 Leaseweb NL 188.8.131.52 Leaseweb NL 184.108.40.206 Leaseweb NL 220.127.116.11 Leaseweb NL 18.104.22.168 Hetzner DE 22.214.171.124 Hetzner DE 126.96.36.199 Serverconnect SE 188.8.131.52 Redstation GB 184.108.40.206 Nadym RU 220.127.116.11 Yisp NL 18.104.22.168 Besthosting.ua UA 22.214.171.124 PIRADIUS MY 126.96.36.199 Keyweb DE 188.8.131.52 worldstream.nl NL 184.108.40.206 digitalone.com US 220.127.116.11 3nt.com DE 18.104.22.168 serverius.com NL
It's interesting that one of these servers is a Tor exit node. And, according to the collected config files, the group upgraded their malware communications from plain text http to encrypted https in October 2013.BE2 Targets and Victims
BlackEnergy2 victims are widely distributed geographically. We identified BlackEnergy2 targets and victims in the following countries starting in late 2013. There are likely more victims.
Victim profiles point to an expansive interest in ICS:
- power generation site owners
- power facilities construction
- power generation operators
- large suppliers and manufacturers of heavy power related materials
However, we also noticed that the target list includes government, property holding, and technology organizations as well:
- high level government
- other ICS construction
- federal land holding agencies
- municipal offices
- federal emergency services
- space and earth measurement and assessment labs
- national standards body
- high-tech transportation
- academic research
We gained insight into significant BE2 victim profiles over the summer of 2014. Interesting BE2 incidents are presented here.
The BE2 attackers successfully spearphished an organization with an exploit for which there is no current CVE, and a metasploit module has been available This email message contained a ZIP archive with EXE file inside that did not appear to be an executable. This crafted zip archive exploited a WinRAR flaw that makes files in zip archives appear to have a different name and file extension.
BE2 spearphish example
The attached exe file turned out to be 'BlackEnergy-like' malware, which researchers already dubbed 'BlackEnergy3' - the gang uses it along with BlackEnergy2. Kaspersky Lab detects 'BlackEnergy3' malware as Backdoor.Win32.Fonten – naming it after its dropped file "FONTCACHE.DAT"
When investigating computers in the company's network, only BE2 associated files were found, suggesting BE3 was used as only a first-stage tool on this network. The config files within BE2 contained the settings of the company's internal web proxy:
BE2 config file contains victim's internal proxy
As the APT-specific BE2 now stores the downloaded plugins in encrypted files on the system (not seen in older versions – all plugins were only in-memory), the administrators were able to collect BE2 files from the infected machines. After decrypting these files, we could retrieve plugins launched on infected machines: ps, vsnet, fs, ss, dstr.
By all appearances, the attackers pushed the 'dstr' module when they understood that they were revealed, and wanted to hide their presence on the machines. Some machines already launched the plugin, lost their data and became unbootable.
Desstructive dstr command in BE2 config file
Also, on some machines, documents were encrypted, but no related plugin could be found.
The second organization was hacked via the first victim's stolen VPN credentials. After the second organization was notified about the infection they started an internal investigation. They confirmed that some data was destroyed on their machines, so the BE2 attackers have exhibited some level of destructive activity. And, they revealed that their Cisco routers with different IOS versions were hacked. They weren't able to connect to the routers any more by telnet and found the following "farewell" tcl scripts in the router's file system:
Ciscoapi.tcl – contains various wrappers over cisco EXEC-commands as described in the comments.
The comment includes a punchy message for "kasperRsky":
BE2 ciscoapi.tcl fragment
Killint.tcl – uses Ciscoapi.tcl, implements destroying functions:
BE2 killint.tcl fragment
The script tries to download ciscoapi.tcl from a certain FTP server which served as a storage for BE2 files. The organization managed to discover what scripts were hosted on the server before BE/SandWorm gang deleted them, and unfortunately couldn't restore them after they were deleted. The BE2 actor performs careful, professional activity covering their tracks:
There is evidence that the logs produced by some scripts were also stored on the FTP server, in particular the information on CDP neighbors which is provided by one of the procedures of ciscoapi.tcl.
The third organization got compromised by the same type of attack as the first one (an EXE file spoofing a doc within a Zip archive). All the plugins discovered in BE2 files were known, and there was no revelation of hacked network devices on their side and no destroyed data. The noticeable thing is that many computers contained both BE2 and BE3 files and some config files contained the following URL:
The URL contains the md5 of the string 'router'. One of the discovered config files contained a URL with an as yet unidentified md5:
Victim set #4
A set of victims discovered installed Siemens SCADA software in their ICS environment was responsible for downloading and executing BlackEnergy. Starting in March 2014 and ending in July 2014, Siemens "ccprojectmgr.exe" downloaded and executed a handful of different payloads hosted at 22.214.171.124/favicon.ico. They are all detected as variants of "Backdoor.Win32.Blakken".Build IDs
Each config file within BE2 main.dll has a field called build_id which identifies the malware version for the operators. Currently this particular BE/SandWorm gang uses a certain pattern for the build ids containing three hex numbers and three letters, as follows:
The numbers indicate the date of file creation in the format: Year-Month-Day. Still, the purpose of the letters is unknown, but most likely it indicates the targets. The hex numbers weren't used all the time, sometimes we observed decimal numbers:
Most interesting for us was the earliest build id we could find. Currently it is "OB020Ad0V", meaning that the BE2/SandWorm APT started operating as early as the beginning of 2010.Appendix: IoC
While BE dropper installs its driver under a randomly picked non-used Windows driver name, like %system32%\drivers\AliIde.sys. The driver is self-signed on 64-bit systems
However, new "APT" BE2 uses one of the following filenames that are used as an encrypted storage for plugins and the network settings. They are consistent and serve as stable IoC:
BE2 also uses start menu locations for persistence:
BE3 uses the following known filenames:
Botnet History Illustrated by BlackEnergy 2, PH Days, Kaspersky Lab - Maria Garnaeva and Sergey Lozhkin, May 2014
BlackEnergy and Quedagh (pdf), F-Secure, September 2014
Sandworm, iSIGHT Partners, October 2014
Alert (ICS-ALERT-14-281-01A) Ongoing Sophisticated Malware Campaign Compromising ICS (Update A), ICS-CERT, October 2014