SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackenergy (Back to overview)

BlackEnergy

Actor(s): Sandworm

VTCollection    

BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War.

Version 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to
- download and execute a remote file;
- execute a local file on the infected computer;
- update the bot and its plugins;

The Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.

In 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included:
- operations with victim's filesystem
- spreading with a parasitic infector
- spying features like keylogging, screenshoots or a robust password stealer
- Team viewer and a simple pseudo “remote desktop”
- listing Windows accounts and scanning network
- destroying the system

Typical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114.

On 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.

References
2022-05-09cocomelonccocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu
2022-04-20cocomelonccocomelonc
Malware development: persistence - part 1. Registry run keys. C++ example.
Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky
2022-04-20CISACISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-04-20CISAAustralian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), CISA, FBI, Government Communications Security Bureau, National Crime Agency (NCA), NCSC UK, NSA
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-02-24TesorionTESORION
Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2021-09-09Recorded FutureInsikt Group
Dark Covenant: Connections Between the Russian State and Criminal Actors
BlackEnergy EternalPetya Gameover P2P Zeus
2021-08-05SymantecThreat Hunter Team
Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-10-19UK GovernmentDominic Raab, ForeignCommonwealth & Development Office
UK exposes series of Russian cyber attacks against Olympic and Paralympic Games
VPNFilter BlackEnergy EternalPetya Industroyer
2020-10-19Riskint BlogCurtis
Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer
2020-05-21PICUS SecuritySüleyman Özarslan
T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-01-01SecureworksSecureWorks
IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2019-01-18Mark Edmondson
BLACK ENERGY – Analysis
BlackEnergy
2017-09-18ThreatConnectPaul Vann
Casting a Light on BlackEnergy
BlackEnergy
2017-07-03ESET ResearchAnton Cherepanov, Robert Lipovsky
BlackEnergy – what we really know about the notorious cyber attacks
BlackEnergy
2017-05-31MITREMITRE ATT&CK
Sandworm Team
CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm
2016-01-28Kaspersky LabsGReAT
BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents
BlackEnergy
2015-02-17Kaspersky LabsKurt Baumgartner, Maria Garnaeva
BE2 extraordinary plugins, Siemens targeting, dev fails
BlackEnergy
2014-11-03Kaspersky LabsKurt Baumgartner, Maria Garnaeva
BE2 custom plugins, router abuse, and target profiles
BlackEnergy
2014-10-14ESET ResearchRobert Lipovsky
CVE‑2014‑4114: Details on August BlackEnergy PowerPoint Campaigns
BlackEnergy
2010-07-15Kaspersky LabsDmitry Tarakanov
Black DDoS
BlackEnergy
2010-03-03FireEyeJulia Wolf
Black Energy Crypto
BlackEnergy
2010-03-03SecureworksJoe Stewart
BlackEnergy Version 2 Threat Analysis
BlackEnergy
2007-10-01Arbor NetworksJose Nazario
BlackEnergy DDoS Bot Analysis
BlackEnergy
Yara Rules
[TLP:WHITE] win_blackenergy_auto (20230808 | Detects win.blackenergy.)
rule win_blackenergy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.blackenergy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { bb01000000 eb02 03d8 8bc2 e9???????? 8b4df4 014dd8 }
            // n = 7, score = 200
            //   bb01000000           | mov                 ebx, 1
            //   eb02                 | jmp                 4
            //   03d8                 | add                 ebx, eax
            //   8bc2                 | mov                 eax, edx
            //   e9????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   014dd8               | add                 dword ptr [ebp - 0x28], ecx

        $sequence_1 = { 39750c 740c 56 56 ff7508 ff550c }
            // n = 6, score = 200
            //   39750c               | cmp                 dword ptr [ebp + 0xc], esi
            //   740c                 | je                  0xe
            //   56                   | push                esi
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff550c               | call                dword ptr [ebp + 0xc]

        $sequence_2 = { 8b7df4 8b75f0 8b4d08 f3a4 a1???????? 33c9 3bc1 }
            // n = 7, score = 200
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   8b75f0               | mov                 esi, dword ptr [ebp - 0x10]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   a1????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   3bc1                 | cmp                 eax, ecx

        $sequence_3 = { e8???????? 2bc6 3bc7 760f 6bd20a 47 e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   2bc6                 | sub                 eax, esi
            //   3bc7                 | cmp                 eax, edi
            //   760f                 | jbe                 0x11
            //   6bd20a               | imul                edx, edx, 0xa
            //   47                   | inc                 edi
            //   e8????????           |                     

        $sequence_4 = { 0f848f000000 53 8d45f0 50 8d45d8 50 }
            // n = 6, score = 200
            //   0f848f000000         | je                  0x95
            //   53                   | push                ebx
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   50                   | push                eax

        $sequence_5 = { 58 e8???????? 85c0 75ae 5e 5f c9 }
            // n = 7, score = 200
            //   58                   | pop                 eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   75ae                 | jne                 0xffffffb0
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   c9                   | leave               

        $sequence_6 = { 85c0 7441 8b5dc8 8b5b28 85db 7427 8b4de4 }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   7441                 | je                  0x43
            //   8b5dc8               | mov                 ebx, dword ptr [ebp - 0x38]
            //   8b5b28               | mov                 ebx, dword ptr [ebx + 0x28]
            //   85db                 | test                ebx, ebx
            //   7427                 | je                  0x29
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]

        $sequence_7 = { 33f6 56 6810000002 6a03 56 6a01 6800000080 }
            // n = 7, score = 200
            //   33f6                 | xor                 esi, esi
            //   56                   | push                esi
            //   6810000002           | push                0x2000010
            //   6a03                 | push                3
            //   56                   | push                esi
            //   6a01                 | push                1
            //   6800000080           | push                0x80000000

        $sequence_8 = { 8b583c 03d8 895dc8 8b4334 8945e0 33f6 46 }
            // n = 7, score = 200
            //   8b583c               | mov                 ebx, dword ptr [eax + 0x3c]
            //   03d8                 | add                 ebx, eax
            //   895dc8               | mov                 dword ptr [ebp - 0x38], ebx
            //   8b4334               | mov                 eax, dword ptr [ebx + 0x34]
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   33f6                 | xor                 esi, esi
            //   46                   | inc                 esi

        $sequence_9 = { 50 ff15???????? 50 ff5508 6a02 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff5508               | call                dword ptr [ebp + 8]
            //   6a02                 | push                2

    condition:
        7 of them and filesize < 98304
}
Download all Yara Rules