BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War. Version 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to - download and execute a remote file; - execute a local file on the infected computer; - update the bot and its plugins; The Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks. In 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included: - operations with victim's filesystem - spreading with a parasitic infector - spying features like keylogging, screenshoots or a robust password stealer - Team viewer and a simple pseudo “remote desktop” - listing Windows accounts and scanning network - destroying the system Typical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114. On 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2022-05-09 by cocomelonc from cocomelonc
2022-04-20 by CISA from CISA
2022-04-20 by cocomelonc from cocomelonc
2022-04-20 by CISA from CISA
2022-02-24 by TESORION from Tesorion
2021-09-09 by Insikt Group from Recorded Future
2021-08-05 by Threat Hunter Team from Symantec
2020-12-21 by Adam Hlavek from IronNet
2020-10-19 by Curtis from Riskint Blog
2020-10-19 by ForeignCommonwealth & Development Office from UK Government
2020-05-21 by Süleyman Özarslan from PICUS Security
2020 by SecureWorks from Secureworks
2019-05-08 by Verizon Communications Inc. from Verizon Communications Inc.
2019-01-18 by Mark Edmondson from
2017-09-18 by Paul Vann from ThreatConnect
2017-07-03 by Anton Cherepanov from ESET Research
2017-05-31 by MITRE ATT&CK from MITRE
2016-01-28 by GReAT from Kaspersky Labs
2015-02-17 by Kurt Baumgartner from Kaspersky Labs
2014-11-03 by Kurt Baumgartner from Kaspersky Labs
2014-10-14 by Robert Lipovsky from ESET Research
2010-07-15 by Dmitry Tarakanov from Kaspersky Labs
2010-03-03 by Julia Wolf from FireEye
2010-03-03 by Joe Stewart from Secureworks
2007-10 by Jose Nazario from Arbor Networks
Tool: BlackEnergy
Names: BlackEnergy, Black Energy
Description: BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War. Version 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to - download and execute a remote file; - execute a local file on the infected computer; - update the bot and its plugins; The Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks. In 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included: - operations with victim's filesystem - spreading with a parasitic infector - spying features like keylogging, screenshoots or a robust password stealer - Team viewer and a simple pseudo “remote desktop” - listing Windows accounts and scanning network - destroying the system Typical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114. On 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.
Category: Malware
Type: ICS malware, Reconnaissance, Backdoor, Rootkit, Banking trojan, Keylogger, Info stealer, Wiper, DDoS, Worm
Information: https://www.recordedfuture.com/blackenergy-malware-analysis/
Information: https://threatconnect.com/blog/casting-a-light-on-blackenergy/
Information: https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/
Information: https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/
Information: https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/
Information: https://marcusedmondson.com/2019/01/18/black-energy-analysis/
Information: https://en.wikipedia.org/wiki/BlackEnergy
Mitre-attack: https://attack.mitre.org/software/S0089/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy
Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:blackenergy
Last-card-change: 2022-12-30
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1047 WINDOWS MANAGEMENT INSTRUMENTATION a blackenergy 2 plug-in uses wmi to gather victim host details. | T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER the blackenergy 3 variant drops its main dll component and then creates a .lnk shortcut to that file in the startup folder. T1547.009 BOOT OR LOGON AUTOSTART EXECUTION : SHORTCUT MODIFICATION the blackenergy 3 variant drops its main dll component and then creates a .lnk shortcut to that file in the startup folder. T1543.003 CREATE OR MODIFY SYSTEM PROCESS : WINDOWS SERVICE one variant of blackenergy creates a new service using either a hard-coded or randomly generated name. T1574.010 HIJACK EXECUTION FLOW : SERVICES FILE PERMISSIONS WEAKNESS one variant of blackenergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. the malware then sets the hijacked service to start automatically to establish persistence. | T1548.002 ABUSE ELEVATION CONTROL MECHANISM : BYPASS USER ACCOUNT CONTROL blackenergy attempts to bypass default user access control (uac) settings by exploiting a backward-compatibility setting found in windows 7 and later. T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER the blackenergy 3 variant drops its main dll component and then creates a .lnk shortcut to that file in the startup folder. T1547.009 BOOT OR LOGON AUTOSTART EXECUTION : SHORTCUT MODIFICATION the blackenergy 3 variant drops its main dll component and then creates a .lnk shortcut to that file in the startup folder. T1543.003 CREATE OR MODIFY SYSTEM PROCESS : WINDOWS SERVICE one variant of blackenergy creates a new service using either a hard-coded or randomly generated name. T1574.010 HIJACK EXECUTION FLOW : SERVICES FILE PERMISSIONS WEAKNESS one variant of blackenergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. the malware then sets the hijacked service to start automatically to establish persistence. T1055.001 PROCESS INJECTION : DYNAMIC-LINK LIBRARY INJECTION blackenergy injects its dll component into svchost.exe. | T1548.002 ABUSE ELEVATION CONTROL MECHANISM : BYPASS USER ACCOUNT CONTROL blackenergy attempts to bypass default user access control (uac) settings by exploiting a backward-compatibility setting found in windows 7 and later. T1574.010 HIJACK EXECUTION FLOW : SERVICES FILE PERMISSIONS WEAKNESS one variant of blackenergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. the malware then sets the hijacked service to start automatically to establish persistence. T1070 INDICATOR REMOVAL blackenergy has removed the watermark associated with enabling the testsigning boot configuration option by removing the relevant strings in the user32.dll.mui of the system. T1070.001 INDICATOR REMOVAL : CLEAR WINDOWS EVENT LOGS the blackenergy component killdisk is capable of deleting windows event logs. T1055.001 PROCESS INJECTION : DYNAMIC-LINK LIBRARY INJECTION blackenergy injects its dll component into svchost.exe. T1553.006 SUBVERT TRUST CONTROLS : CODE SIGNING POLICY MODIFICATION blackenergy has enabled the testsigning boot configuration option to facilitate loading of a driver component. | T1555.003 CREDENTIALS FROM PASSWORD STORES : CREDENTIALS FROM WEB BROWSERS blackenergy has used a plug-in to gather credentials from web browsers including firefox, google chrome, and internet explorer. T1552.001 UNSECURED CREDENTIALS : CREDENTIALS IN FILES blackenergy has used a plug-in to gather credentials stored in files on the host by various software programs, including the bat! email client, outlook, and windows credential store. | T1083 FILE AND DIRECTORY DISCOVERY blackenergy gathers a list of installed apps from the uninstall program registry. it also gathers registered mail, browser, and instant messaging clients from the registry. blackenergy has searched for given file types. T1120 PERIPHERAL DEVICE DISCOVERY blackenergy can gather very specific information about attached usb devices, to include device instance id and drive geometry. T1082 SYSTEM INFORMATION DISCOVERY blackenergy has used systeminfo to gather the os version, as well as information on the system configuration, bios, the motherboard, and the processor. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY blackenergy has gathered information about network ip configurations using ipconfig.exe and about routing tables using route.exe. T1049 SYSTEM NETWORK CONNECTIONS DISCOVERY blackenergy has gathered information about local network connections using netstat. | T1021.002 REMOTE SERVICES : SMB/WINDOWS ADMIN SHARES blackenergy has run a plug-in on a victim to spread through the local network by using psexec and accessing admin shares. | T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS blackenergy communicates with its c2 server over http. T1008 FALLBACK CHANNELS blackenergy has the capability to communicate over a backup channel via plus.google.com. | T1485 DATA DESTRUCTION blackenergy 2 contains a "destroy" plug-in that destroys data stored on victim hard drives by overwriting file contents. |