Russian Banking Trojan BlackEnergy 2 Unmasked at RSA

SecureWorks researcher Joe Stewart revealed details of his research into a Russian botnet that has taken the unusual step of targeting Russian banks - a change from the typical focus on snaring victims in the West. The botnet also has a plug-in architecture that allows attackers to extend its abilities without writing new source code.

Like the sequel to a successful movie, the botnet behind the distributed denial of service attacks that hit the country of Georgia during its conflict with Russia in 2008 has been updated.

This time though, the idea isn't hacktivism-it's stealing financial data and, unlike in the case of other Russian botnets, the targets are the operators' own countrymen.

"They haven't historically gone after their own countrymen. ... It definitely looks like there's a trend because since that discovery I found two ... different bot families that are also targeting various Russian [and] Ukranian banking application systems," said Joe Stewart, security researcher with SecureWorks' Counter Threat Unit.

Stewart pulled the covers off from the botnet, which he calls BlackEnergy 2, this week at the RSA conference in San Francisco. According to SecureWorks, BlackEnergy 2 has been in quiet development for over a year. Though it still bears some of the hallmarks of the first BlackEnergy-the botnet involved in the Georgia cyber-attacks-it also represents a significant rewrite of the codebase and features a modular design that uses plug-ins for its distributed denial of service (DDoS), spam and malware capabilities.

"I started digging into that [malware] plug-in a little more and realized it's a keylogger and a file stealer for a very particular application," Stewart said. "Investigating that application, [it] turns out it's a banking authentication system that's only used by Russian and Ukranian banks.

"The one thing about BlackEnergy's diving into cyber-fraud is that it's also got these DDoS capabilities," he continued. "And what this criminal group is doing is they're using this banking plug-in to steal authentication credentials and then they are turning around and launching denial of service attacks against the same banks that use this authentication system. So it would seem that what they're doing is logging into the accounts and transferring money, and then launching an attack against the bank to distract them perhaps from being able to notice these transactions have occurred, or if they are getting notified, they are paying more attention to this denial of service attack that's taken all of their customers offline."

In addition, the Trojan plug-in is accompanied by a module designed to destroy the filesystem of an infected machine if it is given a "kill" command. This plug-in architecture separates it from other botnets like Zeus in that it can be extended without writing new source code into it, Stewart said.

"We're seeing more and more of the malware become modular and keep a core Trojan that's responsible for loading everything else on disk, allows them to swap things out more easily [and] keeps them from having to write a bunch of stuff, have it all detected by antivirus software and then have to recompile all that stuff," he said.

According to SecureWorks' research, the hackers are infecting the bank customers with the Trojan through pay-per-install malware scams, as well as possibly malicious e-mails and compromised Russian sites.

"Detection is the challenge," he said. "Trying to detect it on disk is always a situation where the antivirus companies are going to be X number of days or weeks behind just because it's so easy now for the virus authors, the Trojan authors, to run their sample through a service that scans it through all the different [antivirus] engines," Stewart said.

SecureWorks said the company notified law enforcement about its findings.