BlackEnergy

BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. [1]

ID: S0089
Aliases: BlackEnergy, Black Energy
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1088Bypass User Account ControlBlackEnergy attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.[1]
EnterpriseT1081Credentials in FilesBlackEnergy has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Mozilla password manager, Google Chrome password manager, Outlook, Internet Explorer, and Windows Credential Store.[1][2]
EnterpriseT1008Fallback ChannelsBlackEnergy has the capability to communicate over a backup channel via plus.google.com.[2]
EnterpriseT1083File and Directory DiscoveryBlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types.[1][2]
EnterpriseT1107File DeletionBlackEnergy 2 contains a "Destroy" plug-in that destroys data stored on victim hard drives by overwriting file contents.[3]
EnterpriseT1044File System Permissions WeaknessOne variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.[1]
EnterpriseT1070Indicator Removal on HostThe BlackEnergy component KillDisk is capable of deleting Windows Event Logs.[4]
EnterpriseT1056Input CaptureBlackEnergy has run a keylogger plug-in on a victim.[2]
EnterpriseT1046Network Service ScanningBlackEnergy has conducted port scans on a host.[2]
EnterpriseT1050New ServiceOne variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.[1]
EnterpriseT1120Peripheral Device DiscoveryBlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry.[2]
EnterpriseT1057Process DiscoveryBlackEnergy has gathered a process list by using Tasklist.exe.[1][2]
EnterpriseT1055Process InjectionBlackEnergy injects its DLL component into svchost.exe.[1]
EnterpriseT1060Registry Run Keys / Startup FolderThe BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.[1]
EnterpriseT1113Screen CaptureBlackEnergy is capable of taking screenshots.[2]
EnterpriseT1023Shortcut ModificationThe BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.[1]
EnterpriseT1071Standard Application Layer ProtocolBlackEnergy communicates with its C2 server over HTTP.[1]
EnterpriseT1082System Information DiscoveryBlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.[1][2]
EnterpriseT1016System Network Configuration DiscoveryBlackEnergy has gathered information about network IP configurations using ipconfig.exe and about routing tables using route.exe.[1][2]
EnterpriseT1049System Network Connections DiscoveryBlackEnergy has gathered information about local network connections using netstat.[1][2]
EnterpriseT1077Windows Admin SharesBlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.[2]
EnterpriseT1047Windows Management InstrumentationA BlackEnergy 2 plug-in uses WMI to gather victim host details.[3]

Groups

Groups that use this software:

Sandworm Team

References