Home Malware Programs Rootkits BlackEnergy


Posted: July 4, 2014

BlackEnergy is a family of rootkits and backdoor Trojans that may add new features through the inclusion of optional add-ons. While BlackEnergy is over half a decade old, BlackEnergy has gone through multiple, significant updates since its introduction, and currently appears to be engaged in targeted attacks against Eastern European governments. Malware researchers estimate that these attacks are meant to collect data, but BlackEnergy also may be used for other ends, and removing BlackEnergy through suitable anti-malware technologies is necessary for the safety of any computer.

When Threat Authors Direct Their Energies to E-mail Attacks

Malware experts see BlackEnergy Trojans in variants that may include or lack major rootkit functions (such as injecting a corrupted DLL file into Svchost.exe), but always incorporating the use of backdoor Trojan attacks. These attacks establish network connections that allow third parties to receive data uploaded from your PC by BlackEnergy, or allow them to install other threats or issue system commands. BlackEnergy is well-known for being used in DDoS attacks, spam campaigns and collection of bank account passwords. Nonetheless, its height of infamy was during cyber campaigns against the country of Georgia, as far back as 2008.

The newest version of BlackEnergy, which seems to have divested itself of most of its rootkit functions, currently appears to be distributed via e-mail attachments. As usual for this infection method, BlackEnergy is enclosed in a ZIP archive and disguised to look like a normal Word document. This new version of BlackEnergy also includes characteristics designed for compatibility with the Windows 8's security structure.

Dousing the Energy of Threats

Just as its past has ties to Eastern Europe and the conflict between the former Soviet Union and its satellites, BlackEnergy's new version has stayed in Europe, with recent attacks reported for Belgium: the not-so-coincidental headquarters of NATO. While BlackEnergy has widely-available 'kits' that people may use to construct their own variants of this Trojan, the most well-organized BlackEnergy campaigns seem to be the responsibility of a singular group of professionals, intent on infiltrating government machines.

During its installation, BlackEnergy also may open a harmless document file including a list of common passwords, which essentially verifies its distribution hoax as being disguised as a password-oriented security warning. Probable targets within the region should continue to abide by e-mail security protocols and scan potentially threatening file attachments with anti-malware solutions.

BlackEnergy's deletion also may require the deletion of additional threats, including a variety of modules meant to expand its attack features. Any anti-malware scans undertaken to remove BlackEnergy should be as thorough as possible, and removable hard drives also may be vulnerable. Considering its common use as a Trojan collector, malware experts also deem it wise to change important passwords associated with any BlackEnergy-infected machine.