Researchers have discovered new capabilities in the BlackEnergy crimeware tool that significantly extend its reach. The ability to run on network devices, steal digital certificates, and render infected computers unbootable are just a few of new-found weapons in its arsenal.
BlackEnergy emerged as a tool for launching denial-of-service attacks. It later morphed into crimeware used to funnel banking credentials and most recently was observed as a refitted piece of software for espionage that targeted the North Atlantic Treaty Organization, Ukrainian and Polish government agencies, and a variety of sensitive European industries over the last year. In this last incarnation, BlackEnergy in some cases was installed by exploiting a previously unknown vulnerability in Microsoft Windows systems.
According to a report published Monday by security firm Kaspersky Labs, the breadth of BlackEnergy goes even further. A host of extensions customized for both Windows and Linux systems contain commands for carrying out DoS attacks, stealing passwords, scanning ports, logging IP sources, covertly taking screenshots, gaining persistent access to command and control channels, and destroying hard drives. Researchers Kurt Baumgartner and Maria Garnaeva also acquired a version that works on ARM- and MIPS-based systems and uncovered evidence BlackEnergy has infected networking devices manufactured by Cisco Systems. They are unsure precisely what the purpose is for some plugins, including one that gathers device instance IDs and other information on connected USB drives and another that collects details on the BIOS, motherboard, and processor of infected systems.