BlackEnergy drains files from Ukraine media, energy organisations
Booter bot becomes modular malware.
Malware writers are wiping hard drives of Ukraine media outlets and energy companies using a cocktail of backdoors.
Eset threat bod Anton Cherepanov says VXers are attacking the unnamed organisations with the BlackEnergy trojan's new KillDisk component, capable of destroying some 4000 different file types and rendering machines unbootable.
The attackers are hitting specific files and documents journalists and staff are likely to have stored on their machines.
Cherepanov says attackers have set a delayed execution for when the 35 file types will be erased, along with Windows logs and settings, and the miscreants are also overwriting a specific industrial control software executable.
"ESET has recently discovered that the BlackEnergy trojan was recently used as a backdoor to deliver a destructive KillDisk component in attacks against Ukrainian news media companies and against the electrical power industry," Cherepanov says .
The researcher also found a previously unknown SSH backdoor attackers used as an alternative to BlackEnergy for accessing infected systems.
Build identity numbers suggest possible Russian links, but ESET avoids confirming the attribution.
BlackEnergy was first discovered in 2007 and has undergone capability upgrades from a basic distributed denial of service attack malware to a polished modular trojan over ensuing years.
Targets in Ukraine and Poland have been attacked through known and unknown vulnerabilities and vectors, the company says.
The attack software can install rootkits and defeat Windows' user access control and driver signing requirements. ®