BlackEnergy is a modular backdoor that can be used for several purposes, like espionage and downloading of destructive components to compromise target systems. BlackEnergy malware family has been around since 2007. It started as an HTTP-based botnet for DDoS attacks.
It evolved to BlackEnergy2, a driver component based rootkit installed as a backdoor and now it has evolved to its latest version, BlackEnergy3, which is behind the recent attacks against Ukraine electrical power industry by cybercriminals.
The malware spreads mainly through targeted phishing attacks by e-mail containing Microsoft Office files with malicious VBA macros as attachments.
BlackEnergy uses its modular architecture that supports several plugins to download and keep running both backdoors (such as variants of Dropbear SSH backdoor) and several kinds of plugins (such as a new destructive plugin called KillDisk, used in the recent Ukraine attacks).
In this blog post, we will discuss how to detect its C2 beaconing activity.
Once the malware is installed in the target system, the backdoor will listen and communicate with the remote C2 server.
Following is an example of a HTTP request sent from the malware to the C2:
POST /Microsoft/Update/KC074913.php HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)