Virus Type: Spyware, Advanced Persistent Threat (APT), Trojan
BlackEnergy is a Trojan that is used to conduct DDoS attacks, cyber espionage and information destruction attacks. In 2014 (approximately) a specific user group of BlackEnergy attackers began deploying SCADA-related plugins to victims in the ICS (Industrial Control Systems) and energy markets around the world. This indicated a unique skillset, well above the average DDoS botnet master.
Since mid-2015, the BlackEnergy APT group has been actively using spear-phishing emails carrying malicious Excel documents with macros to infect computers in a targeted network. However, in January this year, Kaspersky Lab researchers discovered a new malicious document, which infects the system with a BlackEnergy Trojan. Unlike the Excel documents used in previous attacks, this was a Microsoft Word document.
Upon opening the document, the user is presented with a dialog recommending that macros should be enabled in order to view the content. Enabling the macros triggers the BlackEnergy malware infection.
The BlackEnergy APT group is active in the following sectors:
The group is active against Ukrainian entities, especially those in the energy sector, government and media. It also attacks ISC/SCADA and energy companies worldwide. You could be at risk if you work, own, or cooperate with organizations of this kind.
Kaspersky Lab products detect the various Trojans used by BlackEnergy as:
Indicators of compromise can be found in a blogpost on Securelist.
A standard anti-malware solution is not enough. To prevent a BlackEnergy malware attack Kaspersky Lab recommends using a multi-layered approach that combines: