Reg comments2

Huffy BlackEnergy vxers cry: 'f*ck U Kaspersky', thank Cisco for 0-days

'U never get a fresh Black En3rgy!'

Developers of the maturing malware weapon BlackEnergy have written a personal message for Kaspersky reverse engineers and Cisco developers in new code that targets Linux and router kit.

Pesky malware researchers have kept an eye on BlackEnergy since it evolved from a denial-of-service attack tool to version two kit used by advanced financial and alleged state-sponsored attackers.

The ware was upgraded with attack features including a plug-in Ciscoapi.tcl targeting The Borg's kit.

Researchers Kurt Baumgartner (@k_sec) and Maria Garnaeva said in their analysis it contained wrappers over Cisco EXEC-commands [and] "a punchy message for Kaspersky".

Sandworm team leave a message for Kaspersky and Cisco.

"We gained insight into significant BE2 (BlackEnergy version 2) victim profiles over the [Northern] summer of 2014," they said.

The latest detected BlackEnergy variant also received the ability to wipe drives in the event intruders were caught or felt particularly vindictive, and various port-scanning and certificate pinching plug-ins. One plugin grc used Google Plus accounts to download obfuscated command and control data from an encrypted image file.

The upgrades were part of "several years" of "professional and organised" development.

Multiple unnamed victim companies were compromised with the new BlackEnergy bot including an unspecified set of industrial control system organisations in the US compromised for more than three years.

One victim identified by Kaspersky and analysed by Baumgartner and Garnaeva had data destroyed after the vxers known as Sandworm Team used VPN credentials stolen from a further victim seemingly located in Ukraine. ®

Sign up to our Newsletter

Get IT in your inbox daily

Biting the hand that feeds IT © 1998–2017