BlackEnergy Exploit Kit Makes Off With the Loot
Russian and Ukrainian banks have recently been on the receiving end of an updated version of a homegrown exploit kit, BlackEnergy.
BlackEnergy has been known about since 2007, when Arbor Networks Inc. traced its botnets to the Russian underground hacker community. Previously used in distributed denial-of-service (DDoS) attacks, it came into notoriety as the basis of Russia's cyberwar against Georgia in 2008.
Since then, BlackEnergy appears to gone through something of a metamorphosis to reappear as version 2.0, so named by SecureWorks researcher Joe Stewart for its additional features compared to its well-known predecessor, version 1.9.2. The old version is currently obtainable via hacker forums for anywhere from $30 to $200.
As part of an aggressive top-down makeover, BlackEnergy has improved functions and capabilities, including increased stealth. A sneak preview function allow BlackEnergy to avoid most antivirus protection.
This newer model is the latest ideal tool for any competent programmer wanting to make a quick gain from stealing other people’s money. With the addition of modular architecture and an updated root-kit, plug-ins are easily inserted along with injected code programmed to perform commands such as gathering private encryption keys or any other number of nefarious tasks that the criminally minded may have.
Such ready-made kits, with additional plug-ins for spam or banking attacks, offer off-the-peg solutions for the would-be cybercriminal and yet more headaches for those on the receiving end.
Basically, cybercriminals use the BlackEnergy crime pack to steal online bank passwords and log-ins, whilst keeping the bank busy with botnet-based DDoS. This Trojan acts as a dropper -- a randomly generated name is placed into the rootkit driver binary, which it has already decrypted and uncompressed, in a process known as "unpack and install."
Unpatched vulnerabilities are crucial to BlackEnergy, enabling the malware to escalate its privileges and to drop its code into the rootkit driver. A plug-in that runs alongside the banking plug-in causes the infected file system to be destroyed. The bot itself can be controlled with simple commands that lead it to exit on demand.
There have been several recent reports of Russian banks being hacked with Zeus Trojans that aren't specifically named as BlackEnergy. Citibank, MDM Bank, and VTB 24 (system "Telebank"), as well as payment systems OSMP, "Yandex.Money,” Webmoney, and RBK Money, are among those known to have been targets.
It used to be an unwritten rule that Russian cybercriminals stayed clear of plundering at home. Or maybe that rule never existed, and it is just that Russian banks have now reached the same level of sophistication that makes them equal targets to other world financial systems?
It is hard not to speak of Russian bank hacks and the RBN in the same breath, and it is easy to imagine this as being the work of the RBN. However, the original members have become part of "respectable" society in Russia, and it is unlikely that they would want to risk their elevated statuses to rob banks. Still, there have been plenty of other criminals willing to take the baton from the old RBN.
Unfortunately, many banks' current stance of not publicly admitting to any attack also plays into the hands of the cybercriminals.
Take the case of Citibank a few months ago: There were widespread reports of bank accounts being looted for tens of millions of dollars. Citibank flatly denied any such occurrence, yet at that very time a Citibank business customer in New York had $1 million looted from his account alone. Citibank, still in denial, regained most of their customer's money from a Latvian bank and the remainder it made up itself.
Meanwhile, BlackEnergy 2 plays on vulnerabilities. There can be no excuses from banks, financial institutions, or corporations, big or small, in any country around the world to be offering a service that isn't up-to-scratch. Although an old song, it must be continued to be sung loud and clear.
