New BlackEnergy Trojan Targeting Russian, Ukrainian Banks

SAN FRANCISCO -- RSA Conference 2010 -- Russian hackers have written a more sophisticated version of the infamous BlackEnergy Trojan associated with the 2008 cyberattacks against Georgia that now targets Russian and Ukrainian online banking customers.

Joe Stewart, a security researcher with SecureWorks, says Russian hackers are using the Trojan spread via the BlackEnergy botnet to hit Russian and Ukrainian banks with a two-pronged attack that steals their customers' online banking credentials and then wages a distributed denial-of-service (DDoS) attack on the banks as a cover: "They may be emptying the bank accounts while the banks are busy cleaning up from the DDoS," Stewart says.

Dubbed by Stewart as "BlackEnergy 2," this new version of the Trojan is a full rewrite of the code that features a modular architecture that supports plug-ins that can be written without access to its source code. It currently comes with three different DDoS plug-ins, as well as one for spamming and two for online banking fraud, according to Stewart.

And with the ability to target users in Russia and the Ukraine, BlackEnergy 2 is a departure from the tradition where many Russian hackers won't target their fellow countrymen or those from other former Soviet Republic countries. "The rules have changed," Stewart says. "There was once an unwritten rule that they didn't attack their own banks."

But like most cybercrime operations, money is money, and the BlackEnergy botnet gang appears to be expanding its operations for more profit.

Stewart says he has seen no public release of the development kit for BlackEnergy 2, but he was able to match "fingerprints" in the code of this new version with other source code written by the author.

So far the attackers using the Trojan and its new plug-ins against banks in Russian and the Ukraine appear to be infecting banking customers via pay-per-install malware scams -- likely via email, according to Stewart, who has notified Russian and Ukrainian law enforcement authorities about the botnet's new activities.

And in an especially nasty twist, one plug-in destroys the victim's hard drive. "Then they can't log into their bank," Stewart says. "But we've not seen that" being used in attacks yet, he says.

While the Zeus Trojan remains the most popular Trojan, Stewart says BlackEnergy 2 can do things Zeus cannot, such as stealing online credentials plus DDoS'ing. BlackEnergy 2 also steals the user's private encryption key. Stewart has written an analysis of the Trojan, available here.

So far the BlackEnergy 2 Trojan is targeting only Russian and Ukrainian online banking customers, but Stewart also has spotted two other banking Trojans that also target only Russian and former Soviet Union banking customers.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.