- V3 Apps
A fresh BlackEnergy hack campaign is believed to be targeting European governments with a wave of spear-phishing emails masquerading as IT alerts, researchers at F-Secure have warned.
The F-Secure researchers said they uncovered the fresh BlackEnergy campaign after seeing two new malware sample submissions from Ukraine and Belgium on VirusTotal.
F-Secure said the two samples were submitted within minutes of each other, indicating that they may be part of a wider campaign designed to target European government systems.
"Given the current situation in Ukraine, and that Belgium is the centre of the European Union government (and where Nato headquarters is located), we cannot discount the theory that they are related," F-Secure said in a blog post.
The BlackEnergy family of malware is believed to be the same malware used in the cyber attack against Georgia in 2008. The new malware uses a malicious decoy document to hide its activities from victims, and makes it easier for the hackers to mount follow-up attacks.
"We think the sample is possibly sent as attachment in spear-phishing emails pretending to be IT advisories warning people to avoid certain passwords. Take note that there is no software vulnerability or exploit involved. The decoy document is created and opened by the dropper programmatically," read the post.
"This is something similar to what we have seen before in what might be the first documented APT attempt in OS X. The malware did however exempt its host process (rundll32.exe) from Data Execution Prevention (DEP), which may open up an attack surface for future exploitation."
F-Secure security analyst Sean Sullivan told V3 that while the malware is fairly basic, the company did uncover evidence that it is being used by state-sponsored groups as well as basic criminals.
"It's a distributed denial of service (DDoS) bot, but like other bots the ‘platform' is modular and is capable of more than what it's popularly used for. Its complexity rates with that of Zeus, not Stuxnet," Sullivan said.
"We're seeing hints of nation state usage, but that could be for the sake of plausible deniability. On the whole of it, BlackEnergy is considered to be crimeware and has been developed as such. But note: the nation state in which it is developed may have links between crime and government."
Earlier in June Kaspersky Lab researchers uncovered a cyber scam in which hackers were stealing €500,000 per week from customers of a "large European bank".