Researchers at Kaspersky Lab have conducted a detailed analysis of some of the plugins used by the advanced persistent threat (APT) group known as BlackEnergy2 (BE2), or Sandworm Team.
The group has targeted various types of organizations across the world, but the attackers seem to be very interested in industrial control systems (ICS), particularly entities related to power generation.
The BE2 threat actors have leveraged numerous Windows and Linux plugins to achieve their goals. One of the Windows plugins is dstr, a component designed to destroy data stored on hard drives by overwriting file contents. Kaspersky experts believe the tool is most likely used for sabotage, just like the Destover malware used in the recent Sony Pictures Entertainment attack, or the Shamoon wiper used in the Saudi Aramco operation in 2012.
However, the dstr plugin, which has been used by BE2 in ICS environments, is different from Destover and Shamoon because it doesn’t use a commercial driver. Instead, its authors have developed their own low-level disk and file destruction routines, Kaspersky said.
“In order to overwrite stored data on all Windows versions, the dstr plugin supports both user-mode and kernel-mode wiper functionality, which is somewhat surprising. The component maintains both an embedded win32 library and win64 driver modules for its kernel mode functionality,” Kaspersky Lab researchers Kurt Baumgartner and Maria Garnaeva explained in a blog post.
Researchers have also identified some coding “fails” in the dstr plugin, which has led them to believe that an entire team has been involved in its development.
Another interesting plugin is grc, which is designed to create a backup command and control (C&C) communications channel via the Google Plus social media network.
The recently discovered BadUSB attack method, which relies on malicious USB firmware modifications, appears to have been leveraged by BE2 actors in a plugin dubbed usb. The component collects information on connected USB drives and feeds it to the main BlackEnergy code.
“[The plugin] uses multiple api calls to collect information on multiple types of connected usb storage devices. It enumerates all usb storage devices connected to the system and retrieves data from all, including SCSI mass storage devices,” researchers wrote.
The usb plugin is designed to send two types of commands to Small Computer System Interface (SCSI) devices. While one of the commands is not out of the ordinary, the second one appears to be inspired by BadUSB research.
Kaspersky believes this might be the first implementation of BadUSB-related techniques in common off-the-shelf (COTS) malware repurposed for APTs.
The last plugin detailed by the security firm is called bios. The component is designed to collect information on the BIOS, the motherboard, the CPU and the operating system. Researchers believe the attackers could be using the data to identify the infected system, or to plan their next move.
In the case of ICS and SCADA environments, such data could be useful for establishing persistence, evaluating resources, and tracking down the source of the equipment. The BE2 actors might also use the information to enable “further lateral movement,” Kaspersky said.
In December, ICS-CERT issued a warning after multiple organizations detected the presence of BlackEnergy malware on Internet-connected human-machine interfaces (HMIs). ICS-CERT said there had been indications that the malware targeted vulnerabilities in Siemens’ SIMATIC WinCC solution.
Kaspersky analyzed BE2 attacks aimed at research sites and energy engineering facilities. In these operations, the attackers attempted to remotely exploit the SIMATIC WinCC system to download and execute malware.
The threat group tried to exploit a system in March 2014, but the attempt failed. They attempted to exploit the same system again roughly one month later. In a different attack, BE2 actors attempted to exploit a system in May 2014, but they once again failed. They returned to the same system in July 2014. Researchers believe the different return delays indicate that the attacks were not automated.
