The Sandworm Team, a supposed Russian APT group, is known for spreading BlackEnergy malware by way of spear phishing.
The Sandworm Team, a supposed Russian APT group, is known for spreading BlackEnergy malware by way of spear phishing.

Researchers at Kaspersky have published new insight on the Sandworm Team, an advanced persistent threat (APT) group believed to be based in Russia.

According to a Monday blog post by the firm, the collective's malware of choice, BlackEnergy, comes with a host of “relatively unknown” custom plug-in capabilities that allow attackers to steal digital certificates, attack Cisco networking devices and target ARM and MIPS platforms, among other feats.

Kaspersky noted that BlackEnergy was initially designated as crimeware, since it allowed attackers to launch distributed denial-of-service (DDoS) attacks, but that versions of the malicious tool have now been repurposed for APT use.

“Over time, BlackEnergy2 was assumed into the toolset of the BE2/Sandworm actor,” the blog post explained. “While another crimeware group continues to use BlackEnergy to launch DDoS attacks, the [Sandworm Team] appears to have used this tool exclusively throughout 2014 at victim sites and included custom plugin and scripts of their own.”

Last month, it was revealed that the Sandworm Team (a name bestowed upon the attack group by iSIGHT Partners), had targeted organizations across the globe in an espionage campaign. Spear phishing was the number one vector of attack used by Sandworm, iSIGHT said, meaning the group would craft malicious emails rigged to exploit a vulnerability and deliver BlackEnergy malware to victims.

BlackEnergy, a plugin-based trojan, can be written and used for nearly any purpose – and Kaspersky's new findings have shed new light on the malware's capabilities.

BlackEnergy's Linux plug-ins, for instance, entail tools for carrying out various DDoS attacks, a password stealer compatible with a “variety of network protocols” (like SMTP, HTTP and FTP), and plugins that can delete all system traces and files related to the malware, the blog revealed.

The tool's Windows plug-ins offer some similar capabilities (such as the password stealer), but also allow APT actors to take screenshots, steal digital certificates, and gather information on connected USBs, Kaspersky said. A keylogger and file infector are also among the Windows plug-in components.