BlackEnergy is a modular backdoor that can be used for several purposes, like espionage and downloading of destructive components to compromise target systems.
BlackEnergy malware family has been around since 2007. It started as an HTTP-based botnet for DDoS attacks.
It evolved to BlackEnergy2, a driver component based rootkit installed as a backdoor and now it has evolved to its latest version, BlackEnergy3, which is behind the recent attacks against Ukraine electrical power industry by cybercriminals.
BlackEnergy DDoS Bot
BlackEnergy was originally designed to be an HTTP-based botnet to perform DDoS attacks. BlackEnergy bot builder toolkit is used by cybercriminals to generate customized bot client executable files that are distributed to victims through spam and phishing e-mail campaigns.
Figure 1 - BlackEnergy DDoS Bot builder version 1.7
Figure 2 - BlackEnergy DDoS Bot builder version 1.9.2
Where the parameters are:
Server/Host: C2 server to communicate with the bot client;
Request Rate (in minutes): Time interval of communication between C2 server and bot client;
Build ID: Unique ID used to tag the generated bot client;
Default command: Default command to execute if bot client can’t connect to the C2 server;
Execute after (minutes): Time to wait until execution of command sent by the C2 server (‘0’ means that command should be executed immediately);
Outfile: Output bot client filename;
ICMP Freq: Number of requests per second to be used during an ICMP attack;
ICMP Size: Size of ICMP packets sent during the attack;
Syn/Ack: Number of requests per second to be used during a SYN/ACK flood attack;
Syn/Freq: Number of requests per second to be used during a SYN flood attack;
HTTP Freq: Number of requests per second to be used during an HTTP flood attack;
HTTP Threads: Number of threads to be used during an HTTP flood attack;
TCP/UDP Freq: Number of TCP/UDP requests per second to be sent during a TCP/UDP flood attack;
UDP Size: Size of UDP packets sent during a TCP/UDP flood attack;
TCP Size: Size of TCP packets sent during a TCP/UDP flood attack;
Spoof IP’s (1 – ON / 0 – OFF): Boolean that indicates if IP addresses must be forged during the attack;
Use Socks5: Boolean that indicates if Socks5 (SOCKS with authentication to access the proxy server) must be used;
Use crypt traffic: Boolean that indicates if communication between client and server must be encrypted;
Use polymorph exe and antidebug: Boolean that indicates if antidebug techniques must be used.
The server side is based on PHP code and a simple MySQL database:
db.sql: MySQL database creation file. Table ‘opt’ contains all attack options data, like commands, intervals and packet sizes used during flood attacks. Table ‘stat’ contains general information about the botnet.
Figure 3 - BlackEnergy DDoS Bot MySQL schema
auth.php: Botnet control authentication page
Figure 4 - BlackEnergy DDoS Bot Server authentication page
config.php: Botnet control configuration page. It contains information regarding MySQL’s hostname, user, password and base as well as the Admin’s login and password
Figure 5 - BlackEnergy DDoS Bot Server config.php page
index.php: Botnet control main page. It contains information regarding the Bot (Total Bot’s, Bot’s Per Hour, Bot’s Per Day, Bot’s for all time, Statistics by builds and Control bots – Flooders options, advanced SYN and ICMP options and commands options)
Figure 6 - BlackEnergy DDoS Bot main page
MySQL.php: MySQL Database connection and query code
stat.php: Botnet statistics related code
style.css: CSS file
cmdhelp.html: Help page regarding commands supported by the bot
Figure 7 - BlackEnergy DDoS Bot help page (in Russian)
This page contains instructions regarding the commands supported by the malware:
flood: starts a DDoS attack (ICMP, SYN, TCP/UDP, HTTP)
stop: stops a DDoS attack
die: uninstalls the blot client from the infected system
wait: keeps in silence waiting for C2 server command
Commands are sent by the C2 server to the bot clients through HTTP POST requests with Base64 encoded data that follows the format:
Once installed and running, the executable file behind the hidden device driver will inject code to %WINDIR%\system32\svchost.exe process and start the backdoor, which will listen to system ports and communicate to the C2 server.
Cybercriminal groups perform e-mail phishing attacks containing Microsoft Office files (Excel, Word, PowerPoint, etc.) with malicious VBA macros to infected target systems.
In this case, the document displays a text “Report” and the Microsoft Office warning message says that the document contains macros, and the user has to enable them in order to see the entire content of the document.
Figure 10 – Microsoft Excel file with malicious VBA macro
The VBA macro contains obfuscated malicious code stored as a set of arrays of values in decimal format that represent the malicious binary that will effectively infect the system.
Figure 11 - VBA macro with obfuscated malicious code
The first value of the first array is decimal value ‘77’, which is hex ‘4d’. It is followed by decimal value ‘90’, which is hex ‘5a’. These two bytes represent the magic number (ASCII “MZ”), the DOS executable format. Simirlaly, the subsequent decimal values represent the rest of the malicious binary file.
Figure 12 - Array of decimal values used for obfuscation
When executed, the VBA macro will read the arrays of decimal values and convert them to hex format to deobfuscate it. The hex values will be written to the disk (%TMP%\vba_macro.exe) and the malicious executable file will be then executed.
Figure 13 - VBA macro function will de-obfuscate, write to the disk and execute malicious binary
The extracted file vba_macro.exe, the BlackEnergy Dropper, is a Portable Executable file that embeds an encrypted file (FONTCACHE.DAT), the BlackEnergy Core, which is a Windows DLL (Dynamic-link library) and also a copy of rundll32.exe, a Microsoft Windows command line tool that allow that functions exported from DLL’s be invoked.
When executed, vba_macro.exe will decrypt and write FONTCACHE.DAT to the disk as a hidden file under %APPDATA% folder:
It will also decrypt and write %windir%\System32\rundll32.exe in case the file does not exist in the system.
After that, vba_macro.exe will write a file shortcut under the Startup menu:
FONTCACHE.DAT will inject code to %WINDIR%\system32\svchost.exe process which will instantiate iexplorer.exe instances from time to time. The iexplorer.exe instances will listen to UDP ports acting as a backdoor.
Figure 16 - iexplore.exe instances acting as backdoor
According to CERT-UA (Computer Emergency Response Team of Ukraine) and ESET researchers, BlackEnergy used its modular architecture that supports several plugins to download and keep running both a variant of Dropbear SSH backdoor and a new destructive plugin called KillDisk in the recent Ukraine attacks. This component is able to damage files and make the system unbootable.
Malware Protective Mechanisms
The malware spreads through Microsoft Office files (Word, Excel, PowerPoint, etc.) with malicious VBA macros as attachments. The VBA macros embeds an obfuscated version of the malware dropper.
Also, to protect the dropped files, the malware copies itself to %APPDATA% folder as a hidden file, which is a primitive way of protecting dropped malware components. However, the main protection is actually found in the malware itself.
Both the malware dropper (vba_macro.exe) and core (FONTCACHE.DAT) are Portable Executable files with encrypted contents. The malware runs and decrypt itself in runtime.
Malware Persistency Techniques
To make itself persistent, the malware installs itself as a hidden DLL file under %APPDATA% folder and then creates a Windows Shortcut File (LNK) at Startup that executes it:
Figure 17 - Windows Shortcut File at Startup created by the malware
Method of Infection
The malware spreads mainly through targeted phishing attacks by e-mail containing Microsoft Office files with malicious VBA macros as attachments. Following are some examples of these files.
This one pretends to be a Microsoft Excel file with information regarding a VIA Investment draft plan for railways development of Ukraine:
Figure 18 - Another example of Microsoft Excel file with malicious VBA macro
On the other hand, this one pretends to be a document from the Prosecutor General’s Office of Ukraine:
Figure 19 - Another example of Microsoft Excel file with malicious VBA macro
Next one tries to mimic a political party called "Right Sector" – a far-right Ukrainian nationalist political party, originally set up as an alliance of ultra-nationalist groups in November 2013:
Figure 20 – Microsoft Word file with malicious VBA macro
Next one, titled “List of passwords”, pretends to be a Microsoft Word document with a list of passwords:
Figure 21 - Another example of Microsoft Word file with malicious VBA macro
The malicious macros can be executed either manually by victims or automatically by machines in which Microsoft Office’s macro are enabled by default, thus infecting the target systems.
Once the malware is installed in the target system, the backdoor will listen and communicate with the remote C2 server.
Following is an example of a HTTP request sent from the malware to the C2: