BlackEnergy is a kit with a long history and this new analysis is quite timely. In fact, malware researchers Robert Lipovsky and Anton Cherepanov from ESET will present a BlackEnergy paper at Virus Bulletin today.
Broderick's latest concurrent analysis includes details on a variant he has dubbed "BlackEnergy 3". Among Quedagh-BE's new features is support for proxy servers when connecting to C&Cs. In this case, the proxies are based in Ukraine and there is compelling evidence the Quedagh gang is targeting Ukrainian government organizations.
Who is behind BlackEnergy 3? Here are some theories:
1) The Kremlin is directly responsible and using a crimeware kit provides plausible deniability. 2) Useful idiots (as in purely political patriotic hacktivists). 3) Current or former cyber-criminals (aka privateers). BE3 is evolving to reflect "market" interests. 4) All of the above. 5) Perhaps all of this is wrong and it's the Dutch (it's not the Dutch).
Whomever is behind Quedagh's campaign, they're using what is (or at least was) generally considered to be a "commodity threat" to achieve "advanced persistent threat" goals. This appears to be a trend.
Quedagh Merchant is the name of a ship which was captured by Captain William Kidd, an infamous 17th-century Scottish privateer.
Our working theory is that the emergence of "intermediate persistent threats" such as BlackEnergy 3 is being driven by market forces and that cyber-criminals are expanding their capabilities into espionage and commoditized information warfare.