S0089 BlackEnergy
BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. 1
| Item | Value |
|---|---|
| ID | S0089 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.3 |
| Created | 31 May 2017 |
| Last Modified | 12 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | BlackEnergy attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | BlackEnergy communicates with its C2 server over HTTP.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.1 |
| enterprise | T1547.009 | Shortcut Modification | The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.1 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.12 |
| enterprise | T1485 | Data Destruction | BlackEnergy 2 contains a “Destroy” plug-in that destroys data stored on victim hard drives by overwriting file contents.35 |
| enterprise | T1008 | Fallback Channels | BlackEnergy has the capability to communicate over a backup channel via plus.google.com.2 |
| enterprise | T1083 | File and Directory Discovery | BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types.12 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.010 | Services File Permissions Weakness | One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service’s paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.1 |
| enterprise | T1070 | Indicator Removal | BlackEnergy has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.1 |
| enterprise | T1070.001 | Clear Windows Event Logs | The BlackEnergy component KillDisk is capable of deleting Windows Event Logs.4 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | BlackEnergy has run a keylogger plug-in on a victim.2 |
| enterprise | T1046 | Network Service Discovery | BlackEnergy has conducted port scans on a host.2 |
| enterprise | T1120 | Peripheral Device Discovery | BlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry.2 |
| enterprise | T1057 | Process Discovery | BlackEnergy has gathered a process list by using Tasklist.exe.125 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | BlackEnergy injects its DLL component into svchost.exe.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.2 |
| enterprise | T1113 | Screen Capture | BlackEnergy is capable of taking screenshots.2 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.006 | Code Signing Policy Modification | BlackEnergy has enabled the TESTSIGNING boot configuration option to facilitate loading of a driver component.1 |
| enterprise | T1082 | System Information Discovery | BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.12 |
| enterprise | T1016 | System Network Configuration Discovery | BlackEnergy has gathered information about network IP configurations using ipconfig.exe and about routing tables using route.exe.12 |
| enterprise | T1049 | System Network Connections Discovery | BlackEnergy has gathered information about local network connections using netstat.12 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | BlackEnergy has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Outlook, and Windows Credential Store.12 |
| enterprise | T1047 | Windows Management Instrumentation | A BlackEnergy 2 plug-in uses WMI to gather victim host details.3 |
| ics | T0865 | Spearphishing Attachment | BlackEnergy targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments. 6 |
| ics | T0869 | Standard Application Layer Protocol | BlackEnergy uses HTTP POST request to contact external command and control servers. 6 |
| ics | T0859 | Valid Accounts | BlackEnergy utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence. 6 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team | 718910 |
References
-
F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Baumgartner, K. and Garnaeva, M.. (2015, February 17). BE2 extraordinary plugins, Siemens targeting, dev fails. Retrieved March 24, 2016. ↩↩
-
Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016. ↩
-
Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020. ↩↩
-
Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ↩↩↩
-
Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017. ↩
-
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. ↩
-
UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020. ↩
-
Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. ↩