Number: IRCNE2014112365
Date: 2014/11/05
According to “techworld”, a cyberespionage group that has built its operations around a malware program called BlackEnergy has been compromising routers and Linux systems based on ARM and MIPS architectures in addition to Windows computers.
Security researchers from antivirus vendor Kaspersky Lab released a report Monday detailing some of the custom modules that the group has developed for BlackEnergy, a tool originally created and used by cybercriminals to launch distributed denial-of-service attacks.
Variants of the BlackEnergy plug-ins developed by the cyberespionage group were discovered for both Windows and Linux systems. They enhance the malware program with capabilities like port scanning, password stealing, system information gathering, digital certificate theft, remote desktop connectivity and even hard disk wiping.
Different selections of plug-ins are deployed from command-and-control servers for every victim, depending on the group's goals and the victim's systems, the Kaspersky researchers said.
In one case, attackers downloaded and executed a BlackEnergy plug-in called dstr that destroyed data on an organization's Windows computers.
In another incident, an organization that also had data from some of its Windows machines destroyed found that it was no longer able to access its Cisco routers via telnet. When they investigated, they found several "farewell" scripts left on the routers by the BlackEnergy group, the Kaspersky researchers said.
The group seems particularly interested in targeting organizations that run industrial control systems, especially from the energy sector. Victims identified by Kaspersky include power generation operators, power facilities construction companies, suppliers and manufacturers of heavy power-related materials, and energy sector investors.
- 3