Search This Blog
Wednesday, November 5, 2014
(I) BlackEnergy - you guessed it, more Malware Management goodness trying to act like Adobe
When is something that looks like Adobe, not Adobe? When it's Malware of course.
Like the BackOff malware BlackEnergy also tries to fool the user or admins and hide as an Adobe application. See a pattern yet?
BlackEnergy uses similar user based areas to store the malware, but also uses the Windows structure as well!
BlackEnergy is a great example of the Malware Management Framework working yet again. There is something interesting about the malware that I may not have covered before in regards to the Windows directories that is important.
First off, yet again AppData is getting used for file drops. Unlike BackOff which used AppData\Roaming (%AppData%), BlackEnergy uses the %LocalAppData% variable which points to the users AppData\Local directory and in this case creates a directory called "Adobe" to drop the three .DAT and one .SOL files. Even more interesting, it drops five additional .DAT files into \Windows\System32\Drivers!
Why is this interesting for Malware Management? The Windows \Drivers directory contains mostly .SYS files and only 3 other odd file types. So if you were looking at five new .DAT files in your script/tool output, this should strike you as odd and warrant an investigation. On top of the fact the malware dropped similar .DAT files in \AppData\Local\Adobe.
BlackEnergy used the AutoRuns Startup folder to launch the malware, a typical place to look if you are an a incident Responder or Blue Team defender. The important take-away for BlackEnergy is to focus on NEW file types that are not like what is already there, in this case .SYS files.
You should then automatically look to see if any of these .DAT files are executables (Starting with MZ) and thus realize instantly they are bad if they are executables. Using 'Sigcheck -e' is great way to check to see if a file is an executable as many malware files are called by the launcher and named just about anything, but are indeed executables, which is bad.
So yet another example of Malware Management being applied to improve your security posture.
SecureList Research on BlackEnergy