F-Secure Intercepts New Sample of BlackEnergy Uploaded on VirusTotal

Security researchers of security firm F-Secure found a new variant of malware namely BlackEnergy which has been first transferred to VirusTotal from Ukrain and then somebody checked the file in Belgium after few minutes.

F-Secure observes that someone submitted a ZIP archive to Google's VirusTotal which contains executable file with Microsoft Word's DOC extension.

They checked service of scanning for traces of the respective DOC and it was found submitted from Belgium. There is difference of five minutes between these two submissions indicating some relation between these two actions.

V3.co.uk published a report on 30th June, 2014 quoting an explanation by F-Secure as "Keeping in mind the present condition in Ukraine and Belgium being the Centre of the European Union government (where NATO headquarter is situated), we assume the probability of their relation."

F-Secure explained in details as "We think that sample is probably sent in spear-phishing emails as an attached file pretending to be advisories asking people to ignore certain passwords. The involvement of software flaw or exploit is not there and the dropper created and opened the decoy document programmatically. This might be similar to attempt by documented APT first in OS X which we have seen before and the malware exempted its host process (rundll32.exe) from DEP (Data Execution Prevention) which may unwrap a surface for upcoming exploitation to attack.

V3 published news on 30th June, 2014 quoting Sean Sullivan, Security Analyst with F-Secure, as saying "the malware is basic but we have evidence that it is currently used by groups sponsored by states and basic criminals.

Sullivan said: "it is a distributed denial of service (DDoS) bot but the 'platform' is modular like other bots and it can perform more than its capacity and its complexity measures with Zeus and not with Stuxnet. We are seeing signs of usage in the nation state but that may be due to reasonable deniability. Considering everything, BlackEnergy seems to be developed to crimeware but the nation state where it is developed, might have links between government and crime.

» SPAMfighter News - 7/8/2014