Software: BlackEnergy, Black Energy

From enterprise
Jump to: navigation, search
BlackEnergy, Black Energy
ID S0089
Aliases BlackEnergy, Black Energy
Type Malware

BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3.1

Techniques Used

  • Bypass User Account Control - BlackEnergy attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.1
  • File System Permissions Weakness - One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.1
  • New Service - One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.1
  • File and Directory Discovery - BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry.1 BlackEnergy has searched for given file types.2
  • Credentials in Files - BlackEnergy has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Mozilla password manager, Google Chrome password manager, Outlook, Internet Explorer, and Windows Credential Store.12
  • Windows Admin Shares - BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.2
  • Fallback Channels - BlackEnergy has the capability to communicate over a backup channel via
  • Input Capture - BlackEnergy has run a keylogger plug-in on a victim.2
  • File Deletion - BlackEnergy 2 contains a "Destroy" plug-in that destroys data stored on victim hard drives by overwriting file contents.3
  • Peripheral Device Discovery - BlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry.2
  • Shortcut Modification - The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.1


The following groups use this software: