Hello, today we will talk about detection methods for the new version of BlackEnergy (4.0?) using QualysGuard Policy Compliance module.
According to the results of our research as well as some other reports that will be published later, we found some common signs of attack, known as IOC (Indicator Of Compromise) and we managed to test them using the abovementioned module.
IOCs were based on the analysis of the infected systems’ behavior and the fact that malware was configured for each attack individually. IOCs were divided into 5 groups according to the following criteria:
We can state that the presence of two or more controls from the Groups 3, 4, 5 is a proof of system compromise. We checked which files and system settings were changed and based on this analysis we created User Defined Control (UDC) for Qualys Policy Compliance.
The controls can be divided into 5 groups:
acpipme.sys signature looks like this:
While there is usually no signature for reference file
The other reference files have signature like this:
And this is typical driver with BE backdoor with self-signed certificate:
Also pay attention to the file details description for any inconsistencies or mismatches, for example on the left you can see a screenshot of the infected file and on the right a reference:
And here is another comparison, infected file is on the left and reference is on the right
In order to analyze the suspected systems (and these can be any Windows machines) you need to download controls listed in the end of the article, create a policy and run a scan by QualysGuard Policy Compliance. Here is a step-by-step guide:
We will be grateful to receive your feedback, good hunting!
Take care of yourself.
P.S. You can download all the mentioned UDCs in zip archive below. Trial QualysGuard Policy Compliance account can be requested here.
SPID_0004_QUALYS_ adpu320_Correct.xml control checks the standard hash value.
SPID_0003_QUALYS_acpipmi_Correct.xml control checks the standard hash value.
SPID_0007_QUALYS_aliide_Correct.xml control checks the standard hash value.
SPID_0010_QUALYS_amdide_Correct.xml control checks the standard hash value.
SPID_0006_QUALYS_aliide_Compromised.xml control checks the hash of the file, uses two hashes of available malware, and you can also view the file size.
SPID_0009_QUALYS_amdide_Compromised.xml control checks the hash of the file, uses two hashes of available malware, and you can also view the file size.
SPID_0004_QUALYS_adpu320_Compromised.xml control checks the hash of the file, uses two hashes of available malware, and you can also view the file size.
SPID_0002_QUALYS_acpipmi_Compromised.xml control checks the hash of the file, uses two hashes of available malware, and you can also view the file size.
SPID_0012_QUALYS_svchost_Location.xml control looks for svchost.exe file in the wrong locations.
SPID_0001_QUALYS_ Registry_IOC_MicrosoftSecurity.xml control checks for suspicious registry key.
SPID_0008_QUALYS_aliideStart.xml checks the status of services and whether they are run as default.
SPID_0011_QUALYS_amdideStart.xml checks the status of services and whether they are run as default.