routers, Linux systems and Windows, targeting industry through Cisco network devices.
The antivirus vendor’s Global Research & Analysis Team released a report Monday detailing some of the new “relatively unknown” custom plug-in capabilities that the cyber espionage group has developed for BlackEnergy to attack Cisco networking devices and target ARM and MIPS platforms.
The malware was upgraded with custom plugins including Ciscoapi.tcl which targets The Borg's kit, and According to researchers, the upgraded version contained various wrappers over Cisco EXEC-commands and "a punchy message for Kaspersky," which reads, "F*uck U, Kaspersky!!! U never get a fresh B1ack En3rgy. So, thanks C1sco 1td for built-in backd00rs & 0-days."
BlackEnergy malware program was originally created and used by cybercriminals to launch Distributed Denial-of-Service (DDoS) attacks. The malware developer then added some custom plugins used to funnel banking information.
Most recently BlackEnergy malware was observed in alleged state-sponsored attacks targeting the North Atlantic Treaty Organization (NATO), Ukrainian and Polish government agencies, and a variety of sensitive European industries over the last year.
Now, the cyber espionage group has enhanced the malware program which also has the capabilities like port scanning, password stealing, system information gathering, digital certificate theft, remote desktop connectivity and even hard disk wiping and destroying.
In case if a victim knew of the BlackEnergy infection on their system, the attacker activates "dstr," the name of a plugin that destroys hard disks by overwriting them with random data. A second victim was compromised by using VPN credentials taken from the first victim.
Security researchers, Kurt Baumgartner and Maria Garnaeva, also came across BlackEnergy version that works on ARM and MIPS based systems and found that it has compromised networking devices manufactured by Cisco Systems.
However, the experts are not sure for the purpose of some plugins, including one that gathers device instance IDs and other information on connected USB drives and another that collects details on the BIOS (Basic Input/Output System), motherboard, and processor of infected systems.
"We are pretty sure that our list of [BlackEnergy] tools is not complete," the researchers wrote. "For example, we have yet to obtain the router access plugin, but we are confident that it exists. Evidence also supports the hypothesis that there is a decryption plugin for victim files."
Multiple unnamed victim companies in different countries were targeted with the latest BlackEnergy malware, including victims in Russia, Germany, Belgium, Turkey, Libya, Vietnam and several other countries.
Another Crimeware group, the Sandworm Team, believed to have used the BlackEnergy exclusively throughout 2014 at victim sites and included custom plugin and scripts of their own. Also last month, the Sandworm Team had targeted organizations across the world in an espionage campaign, and iSIGHT Partners revealed that the team used spear phishing as the major attack vector to victimize their targets.