1. Home
  2. Software
  3. BlackEnergy

BlackEnergy

BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. [1]

ID: S0089
Associated Software: Black Energy
Type: MALWARE
Platforms: Windows
Version: 1.4
Created: 31 May 2017
Last Modified: 06 October 2023
Enterprise Layer
download view
ICS Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

A BlackEnergy 2 plug-in uses WMI to gather victim host details.[2]
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.[1][3]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.[1]
Enterprise T1574 .010 劫持执行流: Services File Permissions Weakness

One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.[1]
.009 启动或登录自动启动执行: Shortcut Modification

The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.[1]
Enterprise T1008 回退信道

BlackEnergy has the capability to communicate over a backup channel via plus.google.com.[3]
Enterprise T1120 外围设备发现

BlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry.[3]
Enterprise T1113 屏幕捕获

BlackEnergy is capable of taking screenshots.[3]
Enterprise T1071 .001 应用层协议: Web Protocols

BlackEnergy communicates with its C2 server over HTTP.[1]
Enterprise T1485 数据销毁

BlackEnergy 2 contains a "Destroy" plug-in that destroys data stored on victim hard drives by overwriting file contents.[2][4]
Enterprise T1083 文件和目录发现

BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types.[1][3]
Enterprise T1552 .001 未加密凭证: Credentials In Files

BlackEnergy has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Outlook, and Windows Credential Store.[1][3]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

BlackEnergy attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.[1]
Enterprise T1070 移除指标

BlackEnergy has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.[1]
.001 Clear Windows Event Logs

The BlackEnergy component KillDisk is capable of deleting Windows Event Logs.[5]
Enterprise T1082 系统信息发现

BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.[1][3]
Enterprise T1049 系统网络连接发现

BlackEnergy has gathered information about local network connections using netstat.[1][3]
Enterprise T1016 系统网络配置发现

BlackEnergy has gathered information about network IP configurations using ipconfig.exe and about routing tables using route.exe.[1][3]
Enterprise T1046 网络服务发现

BlackEnergy has conducted port scans on a host.[3]
Enterprise T1056 .001 输入捕获: Keylogging

BlackEnergy has run a keylogger plug-in on a victim.[3]
Enterprise T1057 进程发现

BlackEnergy has gathered a process list by using Tasklist.exe.[1][3][4]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

BlackEnergy injects its DLL component into svchost.exe.[1]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.[3]
Enterprise T1553 .006 颠覆信任控制: Code Signing Policy Modification

BlackEnergy has enabled the TESTSIGNING boot configuration option to facilitate loading of a driver component.[1]
ICS T0865 Spearphishing Attachment

BlackEnergy targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments. [6]
ICS T0869 Standard Application Layer Protocol

BlackEnergy uses HTTP POST request to contact external command and control servers. [6]
ICS T0859 Valid Accounts

BlackEnergy utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence. [6]

Groups That Use This Software

ID Name References
G0034 Sandworm Team

[7][1][8][9][10][11]

Campaigns

ID Name Description
C0028 2015 Ukraine Electric Power Attack

[6]

References

  1. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  2. Baumgartner, K. and Garnaeva, M.. (2015, February 17). BE2 extraordinary plugins, Siemens targeting, dev fails. Retrieved March 24, 2016.
  3. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  4. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.
  5. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.
  6. Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.
  1. Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.
  2. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  3. UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.
  4. Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
  5. Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia's Test Lab for Cyberwar. Retrieved September 27, 2023.