SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackenergy (Back to overview)

BlackEnergy

Actor(s): Sandworm

VTCollection    

BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War.

Version 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to
- download and execute a remote file;
- execute a local file on the infected computer;
- update the bot and its plugins;

The Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.

In 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included:
- operations with victim's filesystem
- spreading with a parasitic infector
- spying features like keylogging, screenshoots or a robust password stealer
- Team viewer and a simple pseudo “remote desktop”
- listing Windows accounts and scanning network
- destroying the system

Typical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114.

On 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.

References
2024-04-16MandiantAlden Wahlstrom, Anton Prokopenkov, Dan Black, Dan Perez, Gabby Roncone, John Wolfram, Lexie Aytes, Nick Simonian, Ryan Hall, Tyler McLellan
APT44: Unearthing Sandworm
VPNFilter BlackEnergy CaddyWiper EternalPetya HermeticWiper Industroyer INDUSTROYER2 Olympic Destroyer PartyTicket RoarBAT Sandworm
2022-05-09cocomelonccocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu
2022-04-20cocomelonccocomelonc
Malware development: persistence - part 1. Registry run keys. C++ example.
Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky
2022-04-20CISACISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-04-20CISAAustralian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), CISA, FBI, Government Communications Security Bureau, National Crime Agency (NCA), NCSC UK, NSA
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-02-24TesorionTESORION
Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2021-09-09Recorded FutureInsikt Group
Dark Covenant: Connections Between the Russian State and Criminal Actors
BlackEnergy EternalPetya Gameover P2P Zeus
2021-08-05SymantecThreat Hunter Team
Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-10-19Riskint BlogCurtis
Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer
2020-10-19UK GovernmentDominic Raab, ForeignCommonwealth & Development Office
UK exposes series of Russian cyber attacks against Olympic and Paralympic Games
VPNFilter BlackEnergy EternalPetya Industroyer
2020-05-21PICUS SecuritySüleyman Özarslan
T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-01-01SecureworksSecureWorks
IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2019-01-18Mark Edmondson
BLACK ENERGY – Analysis
BlackEnergy
2017-09-18ThreatConnectPaul Vann
Casting a Light on BlackEnergy
BlackEnergy
2017-07-03ESET ResearchAnton Cherepanov, Robert Lipovsky
BlackEnergy – what we really know about the notorious cyber attacks
BlackEnergy
2017-05-31MITREMITRE ATT&CK
Sandworm Team
CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm
2016-01-28Kaspersky LabsGReAT
BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents
BlackEnergy
2015-02-17Kaspersky LabsKurt Baumgartner, Maria Garnaeva
BE2 extraordinary plugins, Siemens targeting, dev fails
BlackEnergy
2014-11-03Kaspersky LabsKurt Baumgartner, Maria Garnaeva
BE2 custom plugins, router abuse, and target profiles
BlackEnergy
2014-10-14ESET ResearchRobert Lipovsky
CVE‑2014‑4114: Details on August BlackEnergy PowerPoint Campaigns
BlackEnergy
2010-07-15Kaspersky LabsDmitry Tarakanov
Black DDoS
BlackEnergy
2010-03-03FireEyeJulia Wolf
Black Energy Crypto
BlackEnergy
2010-03-03SecureworksJoe Stewart
BlackEnergy Version 2 Threat Analysis
BlackEnergy
2007-10-01Arbor NetworksJose Nazario
BlackEnergy DDoS Bot Analysis
BlackEnergy
Yara Rules
[TLP:WHITE] win_blackenergy_auto (20241030 | Detects win.blackenergy.)
rule win_blackenergy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.blackenergy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 ffd7 8b4508 8b7df0 }
            // n = 4, score = 200
            //   6a00                 | push                0
            //   ffd7                 | call                edi
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b7df0               | mov                 edi, dword ptr [ebp - 0x10]

        $sequence_1 = { 895dec 895df8 895df0 e8???????? 8b0d???????? }
            // n = 5, score = 200
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   895df0               | mov                 dword ptr [ebp - 0x10], ebx
            //   e8????????           |                     
            //   8b0d????????         |                     

        $sequence_2 = { 894dac 81f900c00000 0f862a020000 b809000000 81f900000100 0f860f010000 }
            // n = 6, score = 200
            //   894dac               | mov                 dword ptr [ebp - 0x54], ecx
            //   81f900c00000         | cmp                 ecx, 0xc000
            //   0f862a020000         | jbe                 0x230
            //   b809000000           | mov                 eax, 9
            //   81f900000100         | cmp                 ecx, 0x10000
            //   0f860f010000         | jbe                 0x115

        $sequence_3 = { 8b07 83c014 50 8d45f4 }
            // n = 4, score = 200
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   83c014               | add                 eax, 0x14
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]

        $sequence_4 = { 66c745f86500 e8???????? c9 c3 55 }
            // n = 5, score = 200
            //   66c745f86500         | mov                 word ptr [ebp - 8], 0x65
            //   e8????????           |                     
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_5 = { 8b4e14 3bd1 7602 8bca 394d08 7339 8b4d08 }
            // n = 7, score = 200
            //   8b4e14               | mov                 ecx, dword ptr [esi + 0x14]
            //   3bd1                 | cmp                 edx, ecx
            //   7602                 | jbe                 4
            //   8bca                 | mov                 ecx, edx
            //   394d08               | cmp                 dword ptr [ebp + 8], ecx
            //   7339                 | jae                 0x3b
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_6 = { 742a 3bc2 7426 895028 395120 }
            // n = 5, score = 200
            //   742a                 | je                  0x2c
            //   3bc2                 | cmp                 eax, edx
            //   7426                 | je                  0x28
            //   895028               | mov                 dword ptr [eax + 0x28], edx
            //   395120               | cmp                 dword ptr [ecx + 0x20], edx

        $sequence_7 = { ff75f4 6801000080 ffd0 85c0 }
            // n = 4, score = 200
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   6801000080           | push                0x80000001
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax

        $sequence_8 = { 8bec 83ec10 8b0b 8b4508 8365f800 2bc1 83e804 }
            // n = 7, score = 200
            //   8bec                 | mov                 ebp, esp
            //   83ec10               | sub                 esp, 0x10
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8365f800             | and                 dword ptr [ebp - 8], 0
            //   2bc1                 | sub                 eax, ecx
            //   83e804               | sub                 eax, 4

        $sequence_9 = { 83ec48 6a04 8d45fc 50 8d45e8 50 8d45b8 }
            // n = 7, score = 200
            //   83ec48               | sub                 esp, 0x48
            //   6a04                 | push                4
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   8d45b8               | lea                 eax, [ebp - 0x48]

    condition:
        7 of them and filesize < 98304
}
Download all Yara Rules