BlackEnergy Malware Targets Linux Systems and Cisco Routers

BlackEnergy Malware Targets Linux Systems and Cisco Routers

 

Cyberespionage Group, generally known for using the malware BlackEnergy for their cyber-crime activities has been compromising routers and Linux system based on ARM and MIPS architectures in addition to Windows Computers.

BlackEnergy was mainly developed by cybercriminals to
perform DDos attacks. AV software vendor Kaspersky Lab reported the details of the modules which have been being used as plugins for this malicious malware.

The group behind these attacks target mainly high-profile private and government organizations such as municipal offices, federal emergency services, national standards bodies, banks, academic research institutions, property holdings and other organizations.The victims of these attacks belong to at least 20 countries.

BlackEnergy plugins are available for both Windows and Linux systems. They mainly enhance the capabilities of the malware by offering some more additional features such as port scanning, password stealing, system information gathering, digital certificate theft, remote desktop connectivity and HDD wiping.

Different selections of plug-ins are deployed from command-and-control servers for every victim, depending on the group’s goals and the victim’s systems, the Kaspersky researchers said.

In one case, the attackers downloaded and executed one BlackEnergy plug-in called "dstr" to destroy data on the victim's windows machine.

Researcher said

By all appearances, the attacker pushed the "dstr" module when they understood that they were revealed, and wanted to hide their presence on machines. some machines already launched the plug-ins,lost their data and became unbootable 

Another scene shows a organization who lost their data after installing the plug-in also could not access their Cisco router via telnet. When they investigated the matter they found several "farewell" scripts left for Kaspersky Researchers one of which named "Cisc0 API Tcl extension for B1ack En3rgy b0t" contained vulgar messages. Those scripts were used to delete the tracks of the attackers. 

Some days ago Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division of the U.S. Department of Homeland Security said the same thing stating that many business organization who useed HMI(Human Machine Interface) products from products from General Electric, Siemens and BroadWin/Advantech got their systems infected with BlackEnergy. HMI are softwares which provide a GUI for monitoring and interacting with industrial control systems. 

 

Alongside Kaspersky, security Firm iSight discovered a hacking campaign by this group, which they call the Sandworm Team, on Ukrainian Government and US Based Business organization. The group, suspected to be originating from Russia exploited a zero-day-vulnerability in Microsoft Windows.

Where as Kaspersky denies this Russia Fact as they say that the group recently launched a DDos attack against a IP address belonging to the Russian Ministry of Defense.