Skip to content

S0089 BlackEnergy

BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. 1

Item Value
ID S0089
Associated Names
Version 1.3
Created 31 May 2017
Last Modified 12 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control BlackEnergy attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols BlackEnergy communicates with its C2 server over HTTP.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.1
enterprise T1547.009 Shortcut Modification The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.12
enterprise T1485 Data Destruction BlackEnergy 2 contains a “Destroy” plug-in that destroys data stored on victim hard drives by overwriting file contents.35
enterprise T1008 Fallback Channels BlackEnergy has the capability to communicate over a backup channel via
enterprise T1083 File and Directory Discovery BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types.12
enterprise T1574 Hijack Execution Flow -
enterprise T1574.010 Services File Permissions Weakness One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service’s paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.1
enterprise T1070 Indicator Removal BlackEnergy has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.1
enterprise T1070.001 Clear Windows Event Logs The BlackEnergy component KillDisk is capable of deleting Windows Event Logs.4
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging BlackEnergy has run a keylogger plug-in on a victim.2
enterprise T1046 Network Service Discovery BlackEnergy has conducted port scans on a host.2
enterprise T1120 Peripheral Device Discovery BlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry.2
enterprise T1057 Process Discovery BlackEnergy has gathered a process list by using Tasklist.exe.125
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection BlackEnergy injects its DLL component into svchost.exe.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.2
enterprise T1113 Screen Capture BlackEnergy is capable of taking screenshots.2
enterprise T1553 Subvert Trust Controls -
enterprise T1553.006 Code Signing Policy Modification BlackEnergy has enabled the TESTSIGNING boot configuration option to facilitate loading of a driver component.1
enterprise T1082 System Information Discovery BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.12
enterprise T1016 System Network Configuration Discovery BlackEnergy has gathered information about network IP configurations using ipconfig.exe and about routing tables using route.exe.12
enterprise T1049 System Network Connections Discovery BlackEnergy has gathered information about local network connections using netstat.12
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files BlackEnergy has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Outlook, and Windows Credential Store.12
enterprise T1047 Windows Management Instrumentation A BlackEnergy 2 plug-in uses WMI to gather victim host details.3
ics T0865 Spearphishing Attachment BlackEnergy targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments. 6
ics T0869 Standard Application Layer Protocol BlackEnergy uses HTTP POST request to contact external command and control servers. 6
ics T0859 Valid Accounts BlackEnergy utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence. 6

Groups That Use This Software

ID Name References
G0034 Sandworm Team 718910