Former DDoS tool extended to target Cisco network devices and user data.
The advanced persistent threat (APT) BlackEnergy is targeting industry through Cisco network devices, programming architectures and computer data, according to security firm Kaspersky Lab.
Beginning as a tool for distributed-denial-of-service (DDoS) attacks the malware has been repurposed through custom plugins in subsequent versions, while the number of criminal gangs holding the malware remains unknown.
Kurt Baumgartner and Maria Garnaeva, security researchers at Kaspersky, said: "These attackers are careful to hide and defend their long-term presence within compromised environments.
"The malware’s previously undescribed breadth means attackers present new technical challenges in unusual environments, including SCADA (supervisory control and data acquisition) networks."
The pair noted that the dangers posed by the APT "may take an organisation’s defenders far beyond their standard routine and out of their comfort zone", with a variety of command and control (C&C) servers hosting different plugins for different jobs.
Customised plugins are available for both Linux and Windows operating systems, and contain commands for key logging, remote desktop use, and hard disk destruction, among other features.
"Some plugins remain mysterious and their purpose is not yet clear, like ‘usb’ and ‘bios’," Baumgartner and Garnaeva added. "Why would the attackers need information on USB and BIOS (Basic Input/Output System) characteristics?
"It suggests that based on a specific USB and BIOS devices, the attackers may upload specific plugins to carry out additional actions. Perhaps destructive, perhaps to further infect devices. We don’t know yet."
BlackEnergy2 has been found targeting victims as far afield as south-east Asia and western Europe, with the profiles of those affected suggesting to Kaspersky that the hackers have an interest in industrial control systems (ICS).
Hackers distributed the malware using techniques as simple as malicious email attachment, with the executable file disguised to have a different file extension.