New BlackEnergy Trojan Targeting Russian, Ukrainian Banks

Botnet lets attackers steal online banking credentials and DDoS Russian and Ukrainian banks

Dark Reading logo in a gray background | Dark Reading

SAN FRANCISCO -- RSA Conference 2010 -- Russian hackers have written a more sophisticated version of the infamous BlackEnergy Trojan associated with the 2008 cyberattacks against Georgia that now targets Russian and Ukrainian online banking customers.

Joe Stewart, a security researcher with SecureWorks, says Russian hackers are using the Trojan spread via the BlackEnergy botnet to hit Russian and Ukrainian banks with a two-pronged attack that steals their customers' online banking credentials and then wages a distributed denial-of-service (DDoS) attack on the banks as a cover: "They may be emptying the bank accounts while the banks are busy cleaning up from the DDoS," Stewart says.

Dubbed by Stewart as "BlackEnergy 2," this new version of the Trojan is a full rewrite of the code that features a modular architecture that supports plug-ins that can be written without access to its source code. It currently comes with three different DDoS plug-ins, as well as one for spamming and two for online banking fraud, according to Stewart.

And with the ability to target users in Russia and the Ukraine, BlackEnergy 2 is a departure from the tradition where many Russian hackers won't target their fellow countrymen or those from other former Soviet Republic countries. "The rules have changed," Stewart says. "There was once an unwritten rule that they didn't attack their own banks."

But like most cybercrime operations, money is money, and the BlackEnergy botnet gang appears to be expanding its operations for more profit.

Stewart says he has seen no public release of the development kit for BlackEnergy 2, but he was able to match "fingerprints" in the code of this new version with other source code written by the author.

So far the attackers using the Trojan and its new plug-ins against banks in Russian and the Ukraine appear to be infecting banking customers via pay-per-install malware scams -- likely via email, according to Stewart, who has notified Russian and Ukrainian law enforcement authorities about the botnet's new activities.

And in an especially nasty twist, one plug-in destroys the victim's hard drive. "Then they can't log into their bank," Stewart says. "But we've not seen that" being used in attacks yet, he says.

While the Zeus Trojan remains the most popular Trojan, Stewart says BlackEnergy 2 can do things Zeus cannot, such as stealing online credentials plus DDoS'ing. BlackEnergy 2 also steals the user's private encryption key. Stewart has written an analysis of the Trojan, available here.

So far the BlackEnergy 2 Trojan is targeting only Russian and Ukrainian online banking customers, but Stewart also has spotted two other banking Trojans that also target only Russian and former Soviet Union banking customers.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights