BlackEnergy first appeared in 2007. Designed to launch distributed denial-of-service (DDoS) attacks or download customized spam or banking data-stealer plug-ins, it was again used to target the State Bar of Georgia last May.

Following the most recent cyber attack, the office had to suspend normal operations until the issue was addressed. Investigations that ensued soon after the incident revealed the use of BlackEnergy along with the identification of eight domains—clusteron[.]ru, svdrom[.]cn, funpic[.]org, logartos[.]org, pizdos[.]net, weberror[.]cn, h278666y[.]net, and inattack[.]ru—as indicators of compromise (IoCs).

Using these web properties as jump-off points for a deep dive enabled by WHOIS and Domain Name System (DNS) data led to the discovery of:

• 49 IP addresses to which the domains identified as IoCs resolved
• Two unredacted email addresses used to register the domains tagged as IoCs
• 6,003 domains that shared the IoCs’ registrant email addresses or IP addresses, 141 of which were dubbed “malicious” by various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Expanding the List of IoCs for Better Protection

To help organizations to protect their networks from BlackEnergy-enabled attacks, we identified as many possibly related artifacts with WHOIS and DNS data.

Using the IoC domains identified as DNS lookup search terms led to the discovery of 49 IP addresses to which they resolved. These were spread across 11 countries led by the U.S., Netherlands, Russia, Germany, and Singapore.

While none of the IP addresses are currently considered dangerous as per malware checks we conducted, monitoring them for signs of malicious activity may still be worth doing as some of them served as shared hosts to the IoCs.

A closer scrutiny of the historical WHOIS records of the domains tagged as IoCs, meanwhile, allowed us to uncover two unredacted email addresses—135224*****@163[.]com and asdf9*****@21cn[.]com—used to register them.

Reverse IP and reverse WHOIS lookups using the IP addresses and email addresses, respectively, as search terms further provided 6,003 possibly connected domains. A bulk WHOIS lookup for these showed that a majority of them were registered under SnapNames, LLC, which accounted for 10% of the total domain volume, among other registrars shown in the figure below.

The following chart compares the countries where most of the IP addresses (left: country geolocation) and domain registrations (right: registrant country) were concentrated.

The U.S., Netherlands, and Russia consistently figured in the top 5 countries in terms of both IP geolocation and domain registration. That isn’t surprising given that SnapNames, GoDaddy, NamePal, DropCatch, TurnCommerce, and Namecheap are based in the U.S., while REGRU-RU, RU-CENTER-RU, Regional Network Information Center, and REGTIME-RU are based in Russia.

As the final step, we subjected the 6,000+ possibly connected domains to a bulk malware check via the Threat Intelligence Platform (TIP) and found that 141 of them were detected by various malware engines as malware or spam hosts.

BlackEnergy-Enabled Attack Prevention

Organizations that want to avoid the unwanted consequences that BlackEnergy poses, specifically an operational disruption, may want to block access to the domains identified as IoCs and the additional 141 possibly connected domains we found. Monitoring the connected IP addresses for signs of malicious activity may also help.

If you wish to perform a similar investigation or get access to the full data behind this research, please contact us.