BlackEnergy
December 21, 2023 ยท View on GitHub
| ID | X0002 |
| Type | Bot/Botnet, DDoS |
| Aliases | None |
| Platforms | Windows |
| Year | 2007 |
| Associated ATT&CK Software | BlackEnergy |
BlackEnergy
An HTTP-based botnet used mostly for DDoS attacks. [1]
ATT&CK Techniques
| Name | Use |
|---|---|
| Execution::Shared Modules (T1129) | BlackEnergy accesses PEB ldr_data. [4] |
See ATT&CK: BlackEnergy - Techniques Used.
Enhanced ATT&CK Techniques
| Name | Use |
|---|---|
| Defense Evasion::Process Injection::Injection using Shims (E1055.m05) | Malware bypasses UAC using a Shim Database instructing SndVol.exe to execute cmd.exe instead, allowing for elevated execution. [1] |
| Defense Evasion::Install Insecure or Malicious Configuration (B0047) | Malware configures the system to the TESTSIGNING boot configuration option to load its unsigned driver component. [1] |
| Defense Evasion::Indicator Blocking (F0006) | Malware clears windows event logs and removes the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevent strings in the user32.dll.mui of the system. [1] |
| Persistence::Modify Existing Service (F0011) | Malware locates an inactive driver service to Hijack and set it to start automatically. [1] |
| Defense Evasion::Process Injection (E1055) | Malware injects its dll component into svchost.exe. [1] |
| Discovery::System Information Discovery (E1082) | Malware uses Systeminfo to gather OS version, system configuration, BIOS, the motherboard, and processor. [1] |
| Collection::Keylogging (F0002) | Keylogger plugin allows for collection of keystrokes. [2] |
| Collection::Screen Capture (E1113) | Malware contains a screenshot plugin that allows for the collection of screenshots. [2] |
| Persistence::Registry Run Keys / Startup Folder (F0012) | BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder, allowing it to persist via a Run registry key. [1] [4] |
| Impact::Data Destruction (E1485) | BlackEnergy 2 variant contains a Destroy plugin that destroys data stored on victim hard drives by overwriting file contents. [3] |
| Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | BlackEnergy encrypts data using RC4 via WinAPI. [4] |
| Discovery::File and Directory Discovery (E1083) | BlackEnergy gets the common file path. [4] |
MBC Behaviors
| Name | Use |
|---|---|
| Impact::Denial of Service (B0033) | Malware was originally built to launch a distributed denial of service attacks that can target more than one IP address per hostname. [1] |
| Execution::Remote Commands (B0011) | Malware-infected bots receive commands from botmaster to load plugins associated with botmaster's goals. [1] |
| Anti-Static Analysis::Disassembler Evasion::Argument Obfuscation (B0012.001) | BlackEnergy contains obfuscated stack strings. [4] |
| Communication::HTTP Communication::Extract Body (C0002.011) | BlackEnergy extracts the HTTP body. [4] |
| Communication::HTTP Communication::IWebBrowser (C0002.010) | The malware initializes IWebBrowser2. [4] |
| Cryptography::Cryptographic Hash (C0029) | BlackEnergy hashes data via WinCrypt. [4] |
| Cryptography::Cryptographic Hash::MD5 (C0029.001) | BlackEnergy hashes data with MD5. [4] |
| Cryptography::Cryptographic Hash::SHA1 (C0029.002) | BlackEnergy hashes data using SHA1. [4] |
| Cryptography::Decrypt Data (C0031) | BlackEnergy encrypts or decrypts via WinCrypt. [4] |
| Cryptography::Encrypt Data::RC4 (C0027.009) | BlackEnergy encrypts data using RC4 via WinAPI. [4] |
| Cryptography::Encryption Key (C0028) | BlackEnergy creates new key via CryptAcquireContext. [4] |
| Cryptography::Generate Pseudo-random Sequence::Use API (C0021.003) | BlackEnergy generates random numbers via WinAPI. [4] |
| Discovery::Code Discovery::Enumerate PE Sections (B0046.001) | BlackEnergy enumerates PE sections. [4] |
| Operating System::Registry::Query Registry Key (C0036.005) | BlackEnergy queries or enumerates a registry key. [4] |
| Operating System::Registry::Query Registry Value (C0036.006) | BlackEnergy queries or enumerates a registry value. [4] |
| Process::Create Process (C0017) | BlackEnergy creates a process on Windows. [4] |
| Process::Terminate Process (C0018) | BlackEnergy terminates a process via fastfail. [4] |
Indicators of Compromise
SHA256 Hashes
- e791718c0141e3829608142fb0f0d35c9af270f78ae0b72fce2edd07a9684568
- d841d9092239fc029b10da01c19868749b0f6bd757926ff04674658468495808
- bc062acda428f55782710f9c4f2df88c26dfbc004b94b479459f8572b1219444
- 16d68b740b5d9aa60929e39fd616d31be2c8528d0f1e58db4cbb16976f7cd725
- af62f29ac01e8335bf41c02c1460ebafcbaf94956b1001f7d515eecf63cea4f2
- 47aea6a4e1da1fb8b454c038c21736bee53d59d095a4f5b866d5dd8158fead41
- 4b2efcda5269f4b80dc417a2b01332185f2fafabd8ba7114fa0306baaab5a72d
- b1ca89de93a1d9bf17cdbf8a3c61e7f52f275a3bcbbd285d35d6a40c45dde9bd
- 951e5623c20d4e9ab158fe105436389dbf61327b2c87b7fb36f8ad3ff5ad9bde
- f8b974cf978a3828aeb9b83fc48645da576e4b90dd47c2b82a46f6c14665a9e5
- 91f72808aaed45a76ff1044a23fd6df4b7ab7ace292725522518feb9c0b8574e
- 2aade7381aa87f55b7d7a5284d22be5472fd8cd966d216fd4445ca3a8bbb3ff3
- 01425582aa5001342b985270a365fd92d909be011384247e81872bff586fa142
- 9e9a6f1d046e0f5da10aa0e18bba248df4f818d342ed359c35fdb000f1354819
References
[1] https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
[2] https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/
[3] https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/
[4] capa v4.0, analyzed at MITRE on 10/12/2022