SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackenergy (Back to overview)

BlackEnergy

Actor(s): Sandworm


BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War.

Version 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to
- download and execute a remote file;
- execute a local file on the infected computer;
- update the bot and its plugins;

The Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.

In 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included:
- operations with victim's filesystem
- spreading with a parasitic infector
- spying features like keylogging, screenshoots or a robust password stealer
- Team viewer and a simple pseudo “remote desktop”
- listing Windows accounts and scanning network
- destroying the system

Typical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114.

On 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.

References
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-02-24TesorionTESORION
@techreport{tesorion:20220224:report:e2f2082, author = {TESORION}, title = {{Report OSINT: Russia/ Ukraine Conflict Cyberaspect}}, date = {2022-02-24}, institution = {Tesorion}, url = {https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf}, language = {English}, urldate = {2022-03-01} } Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2021-09-09Recorded FutureInsikt Group
@techreport{group:20210909:dark:cd6bb6a, author = {Insikt Group}, title = {{Dark Covenant: Connections Between the Russian State and Criminal Actors}}, date = {2021-09-09}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf}, language = {English}, urldate = {2021-09-10} } Dark Covenant: Connections Between the Russian State and Criminal Actors
BlackEnergy EternalPetya Gameover P2P Zeus
2021-08-05SymantecThreat Hunter Team
@techreport{team:20210805:attacks:c2d7348, author = {Threat Hunter Team}, title = {{Attacks Against Critical Infrastructure: A Global Concern}}, date = {2021-08-05}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf}, language = {English}, urldate = {2021-08-06} } Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-10-19UK GovernmentForeignCommonwealth & Development Office, Dominic Raab
@online{office:20201019:uk:7ead390, author = {ForeignCommonwealth & Development Office and Dominic Raab}, title = {{UK exposes series of Russian cyber attacks against Olympic and Paralympic Games}}, date = {2020-10-19}, organization = {UK Government}, url = {https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games}, language = {English}, urldate = {2020-10-23} } UK exposes series of Russian cyber attacks against Olympic and Paralympic Games
VPNFilter BlackEnergy EternalPetya Industroyer
2020-10-19Riskint BlogCurtis
@online{curtis:20201019:revisited:df05745, author = {Curtis}, title = {{Revisited: Fancy Bear's New Faces...and Sandworms' too}}, date = {2020-10-19}, organization = {Riskint Blog}, url = {https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too}, language = {English}, urldate = {2020-10-23} } Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2019-01-18Mark Edmondson
@online{edmondson:20190118:black:e66dcec, author = {Mark Edmondson}, title = {{BLACK ENERGY – Analysis}}, date = {2019-01-18}, url = {https://marcusedmondson.com/2019/01/18/black-energy-analysis/}, language = {English}, urldate = {2020-01-08} } BLACK ENERGY – Analysis
BlackEnergy
2017-09-18ThreatConnectPaul Vann
@online{vann:20170918:casting:87b63a9, author = {Paul Vann}, title = {{Casting a Light on BlackEnergy}}, date = {2017-09-18}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/casting-a-light-on-blackenergy/}, language = {English}, urldate = {2020-01-13} } Casting a Light on BlackEnergy
BlackEnergy
2017-07-03ESET ResearchAnton Cherepanov, Robert Lipovsky
@techreport{cherepanov:20170703:blackenergy:2403feb, author = {Anton Cherepanov and Robert Lipovsky}, title = {{BlackEnergy – what we really know about the notorious cyber attacks}}, date = {2017-07-03}, institution = {ESET Research}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf}, language = {English}, urldate = {2019-10-14} } BlackEnergy – what we really know about the notorious cyber attacks
BlackEnergy
2016-01-28Kaspersky LabsGReAT
@online{great:20160128:blackenergy:3c2a914, author = {GReAT}, title = {{BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents}}, date = {2016-01-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/}, language = {English}, urldate = {2019-12-20} } BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents
BlackEnergy
2015-02-17Kaspersky LabsKurt Baumgartner, Maria Garnaeva
@online{baumgartner:20150217:be2:f7ce288, author = {Kurt Baumgartner and Maria Garnaeva}, title = {{BE2 extraordinary plugins, Siemens targeting, dev fails}}, date = {2015-02-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/}, language = {English}, urldate = {2019-12-20} } BE2 extraordinary plugins, Siemens targeting, dev fails
BlackEnergy
2014-11-03Kaspersky LabsKurt Baumgartner, Maria Garnaeva
@online{baumgartner:20141103:be2:ea8544a, author = {Kurt Baumgartner and Maria Garnaeva}, title = {{BE2 custom plugins, router abuse, and target profiles}}, date = {2014-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/}, language = {English}, urldate = {2019-12-20} } BE2 custom plugins, router abuse, and target profiles
BlackEnergy
2014-10-14ESET ResearchRobert Lipovsky
@online{lipovsky:20141014:cve20144114:49123f0, author = {Robert Lipovsky}, title = {{CVE‑2014‑4114: Details on August BlackEnergy PowerPoint Campaigns}}, date = {2014-10-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/}, language = {English}, urldate = {2019-11-14} } CVE‑2014‑4114: Details on August BlackEnergy PowerPoint Campaigns
BlackEnergy
2010-07-15Kaspersky LabsDmitry Tarakanov
@online{tarakanov:20100715:black:e6d41f9, author = {Dmitry Tarakanov}, title = {{Black DDoS}}, date = {2010-07-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/black-ddos/36309/}, language = {English}, urldate = {2019-12-20} } Black DDoS
BlackEnergy
2010-03-03FireEyeJulia Wolf
@online{wolf:20100303:black:6ee657a, author = {Julia Wolf}, title = {{Black Energy Crypto}}, date = {2010-03-03}, organization = {FireEye}, url = {https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html}, language = {English}, urldate = {2020-02-27} } Black Energy Crypto
BlackEnergy
2010-03-03SecureworksJoe Stewart
@online{stewart:20100303:blackenergy:d3aa259, author = {Joe Stewart}, title = {{BlackEnergy Version 2 Threat Analysis}}, date = {2010-03-03}, organization = {Secureworks}, url = {https://www.secureworks.com/research/blackenergy2}, language = {English}, urldate = {2019-10-15} } BlackEnergy Version 2 Threat Analysis
BlackEnergy
2007-10Arbor NetworksJose Nazario
@techreport{nazario:200710:blackenergy:f414256, author = {Jose Nazario}, title = {{BlackEnergy DDoS Bot Analysis}}, date = {2007-10}, institution = {Arbor Networks}, url = {http://pds15.egloos.com/pds/201001/01/66/BlackEnergy_DDoS_Bot_Analysis.pdf}, language = {English}, urldate = {2022-04-25} } BlackEnergy DDoS Bot Analysis
BlackEnergy
Yara Rules
[TLP:WHITE] win_blackenergy_auto (20220411 | Detects win.blackenergy.)
rule win_blackenergy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.blackenergy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c104 8bc2 83e804 7828 3bc8 7324 8b06 }
            // n = 7, score = 200
            //   83c104               | add                 ecx, 4
            //   8bc2                 | mov                 eax, edx
            //   83e804               | sub                 eax, 4
            //   7828                 | js                  0x2a
            //   3bc8                 | cmp                 ecx, eax
            //   7324                 | jae                 0x26
            //   8b06                 | mov                 eax, dword ptr [esi]

        $sequence_1 = { 83c014 891e 8901 33db 43 53 8d45fc }
            // n = 7, score = 200
            //   83c014               | add                 eax, 0x14
            //   891e                 | mov                 dword ptr [esi], ebx
            //   8901                 | mov                 dword ptr [ecx], eax
            //   33db                 | xor                 ebx, ebx
            //   43                   | inc                 ebx
            //   53                   | push                ebx
            //   8d45fc               | lea                 eax, dword ptr [ebp - 4]

        $sequence_2 = { 75de 58 4e c745f401000000 e9???????? c745ec00000000 8945e0 }
            // n = 7, score = 200
            //   75de                 | jne                 0xffffffe0
            //   58                   | pop                 eax
            //   4e                   | dec                 esi
            //   c745f401000000       | mov                 dword ptr [ebp - 0xc], 1
            //   e9????????           |                     
            //   c745ec00000000       | mov                 dword ptr [ebp - 0x14], 0
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax

        $sequence_3 = { 8b35???????? 53 ffd6 397dfc 7405 ff75fc }
            // n = 6, score = 200
            //   8b35????????         |                     
            //   53                   | push                ebx
            //   ffd6                 | call                esi
            //   397dfc               | cmp                 dword ptr [ebp - 4], edi
            //   7405                 | je                  7
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_4 = { 50 47 57 6a05 58 e8???????? }
            // n = 6, score = 200
            //   50                   | push                eax
            //   47                   | inc                 edi
            //   57                   | push                edi
            //   6a05                 | push                5
            //   58                   | pop                 eax
            //   e8????????           |                     

        $sequence_5 = { 85c0 7427 0fb74b10 894d14 8945fc 8b7dfc }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   7427                 | je                  0x29
            //   0fb74b10             | movzx               ecx, word ptr [ebx + 0x10]
            //   894d14               | mov                 dword ptr [ebp + 0x14], ecx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]

        $sequence_6 = { 5d c20400 55 8bec 83ec0c 57 33ff }
            // n = 7, score = 200
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi

        $sequence_7 = { 8d7c2452 ab ab ab 33f6 }
            // n = 5, score = 200
            //   8d7c2452             | lea                 edi, dword ptr [esp + 0x52]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   33f6                 | xor                 esi, esi

        $sequence_8 = { 0f8450010000 50 e8???????? 68???????? 53 ff15???????? 8b4320 }
            // n = 7, score = 200
            //   0f8450010000         | je                  0x156
            //   50                   | push                eax
            //   e8????????           |                     
            //   68????????           |                     
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8b4320               | mov                 eax, dword ptr [ebx + 0x20]

        $sequence_9 = { 8b45c4 898578ffffff 8a856effffff 88856fffffff 8b45d4 898570ffffff c78574ffffff01000000 }
            // n = 7, score = 200
            //   8b45c4               | mov                 eax, dword ptr [ebp - 0x3c]
            //   898578ffffff         | mov                 dword ptr [ebp - 0x88], eax
            //   8a856effffff         | mov                 al, byte ptr [ebp - 0x92]
            //   88856fffffff         | mov                 byte ptr [ebp - 0x91], al
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   898570ffffff         | mov                 dword ptr [ebp - 0x90], eax
            //   c78574ffffff01000000     | mov    dword ptr [ebp - 0x8c], 1

    condition:
        7 of them and filesize < 98304
}
Download all Yara Rules