Threat Intelligence, Incident Response, Malware, TDR

Experts share new insight on Sandworm APT exploits, BlackEnergy malware

Researchers at Kaspersky have published new insight on the Sandworm Team, an advanced persistent threat (APT) group believed to be based in Russia.

According to a Monday blog post by the firm, the collective's malware of choice, BlackEnergy, comes with a host of “relatively unknown” custom plug-in capabilities that allow attackers to steal digital certificates, attack Cisco networking devices and target ARM and MIPS platforms, among other feats.

Kaspersky noted that BlackEnergy was initially designated as crimeware, since it allowed attackers to launch distributed denial-of-service (DDoS) attacks, but that versions of the malicious tool have now been repurposed for APT use.

“Over time, BlackEnergy2 was assumed into the toolset of the BE2/Sandworm actor,” the blog post explained. “While another crimeware group continues to use BlackEnergy to launch DDoS attacks, the [Sandworm Team] appears to have used this tool exclusively throughout 2014 at victim sites and included custom plugin and scripts of their own.”

Last month, it was revealed that the Sandworm Team (a name bestowed upon the attack group by iSIGHT Partners), had targeted organizations across the globe in an espionage campaign. Spear phishing was the number one vector of attack used by Sandworm, iSIGHT said, meaning the group would craft malicious emails rigged to exploit a vulnerability and deliver BlackEnergy malware to victims.

BlackEnergy, a plugin-based trojan, can be written and used for nearly any purpose – and Kaspersky's new findings have shed new light on the malware's capabilities.

BlackEnergy's Linux plug-ins, for instance, entail tools for carrying out various DDoS attacks, a password stealer compatible with a “variety of network protocols” (like SMTP, HTTP and FTP), and plugins that can delete all system traces and files related to the malware, the blog revealed.

The tool's Windows plug-ins offer some similar capabilities (such as the password stealer), but also allow APT actors to take screenshots, steal digital certificates, and gather information on connected USBs, Kaspersky said. A keylogger and file infector are also among the Windows plug-in components.

Researchers noted that the Sandworm Team (referred to as "BE2 APT" by Kasperksy) apparently “protected their servers by keeping their non-Windows hacker tools and plug-in in separate servers or server folders.”

“Finally, each CnC server hosts a different set of plug-ins, meaning that each server works with different victims and uses plug-ins based on its current needs,” the blog post continued.

In its findings, Kaspersky said that Sandworm holds an “expansive interest” in industrial control system organizations, like power generation site owners and operators, large suppliers and manufacturers of heavy power related materials, and ICS investors.

Kurt Baumgartner, one of the authors of the blog post, who serves as a principal security specialist with Kaspersky Lab, said in Tuesday email correspondence with that BlackEnergy's ability to attack ARM and MIPS platforms demonstrates how the APT group has created “new avenues of attack and delivery.”

“They can hop onto routers and other larger embedded equipment,” he wrote. “They can launch DDoS from equipment that cannot easily come down for business uptime reasons or possibly hop across previously unreachable network segments like SCADA environments,” Baumgartner continued. “This new support also changes ICS operators' assumptions, and translates into additional mitigation efforts.”

In the report, researchers point out varying versions of BlackEnergy – BE2 and BE3 – in attacks, but Baumgartner said that BlackEnergy3  “seems to have been a delivery vehicle for BlackEnergy2 at a victim site.”

Included in the report were indicators of compromise (IOCs) for BE2 and BE3, along with attack methods Sandworm Team used to target four unnamed victim organizations.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.