NEWS FROM THE LAB - Thursday, September 25, 2014

BlackEnergy 3: An Intermediate Persistent Threat Posted by Sean @ 16:50 GMT

We have a new white paper available.

BlackEnergy & Quedagh: The convergence of crimeware and APT attacks

The convergence of crimeware and APT attacks

The paper's author, Broderick Aquilino, first wrote about BlackEnergy in June:

  •  BlackEnergy Rootkit, Sort Of
  •  Beware BlackEnergy If Involved In Europe/Ukraine Diplomacy

BlackEnergy is a kit with a long history and this new analysis is quite timely. In fact, malware researchers Robert Lipovsky and Anton Cherepanov from ESET will present a BlackEnergy paper at Virus Bulletin today.

Broderick's latest concurrent analysis includes details on a variant he has dubbed "BlackEnergy 3". Among Quedagh-BE's new features is support for proxy servers when connecting to C&Cs. In this case, the proxies are based in Ukraine and there is compelling evidence the Quedagh gang is targeting Ukrainian government organizations.

Who is behind BlackEnergy 3? Here are some theories:

1) The Kremlin is directly responsible and using a crimeware kit provides plausible deniability.
2) Useful idiots (as in purely political patriotic hacktivists).
3) Current or former cyber-criminals (aka privateers). BE3 is evolving to reflect "market" interests.
4) All of the above.
5) Perhaps all of this is wrong and it's the Dutch (it's not the Dutch).

Whomever is behind Quedagh's campaign, they're using what is (or at least was) generally considered to be a "commodity threat" to achieve "advanced persistent threat" goals. This appears to be a trend.

Why Quedagh?

Quedagh Merchant

Quedagh Merchant is the name of a ship which was captured by Captain William Kidd, an infamous 17th-century Scottish privateer.

"Privateering was a way of mobilizing armed ships and sailors without having to spend treasury resources or commit naval officers."

Our working theory is that the emergence of "intermediate persistent threats" such as BlackEnergy 3 is being driven by market forces and that cyber-criminals are expanding their capabilities into espionage and commoditized information warfare.