Skip to content

Latest commit

 

History

History
107 lines (89 loc) · 7.4 KB

blackenergy.md

File metadata and controls

107 lines (89 loc) · 7.4 KB
ID X0002
Type Bot/Botnet, DDoS
Aliases None
Platforms Windows
Year 2007
Associated ATT&CK Software BlackEnergy

BlackEnergy

An HTTP-based botnet used mostly for DDoS attacks. [1]

ATT&CK Techniques

Name Use
Execution::Shared Modules (T1129) BlackEnergy accesses PEB ldr_data. [4]

See ATT&CK: BlackEnergy - Techniques Used.

Enhanced ATT&CK Techniques

Name Use
Defense Evasion::Process Injection::Injection using Shims (E1055.m05) Malware bypasses UAC using a Shim Database instructing SndVol.exe to execute cmd.exe instead, allowing for elevated execution. [1]
Defense Evasion::Install Insecure or Malicious Configuration (B0047) Malware configures the system to the TESTSIGNING boot configuration option to load its unsigned driver component. [1]
Defense Evasion::Indicator Blocking (F0006) Malware clears windows event logs and removes the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevent strings in the user32.dll.mui of the system. [1]
Persistence::Modify Existing Service (F0011) Malware locates an inactive driver service to Hijack and set it to start automatically. [1]
Defense Evasion::Process Injection (E1055) Malware injects its dll component into svchost.exe. [1]
Discovery::System Information Discovery (E1082) Malware uses Systeminfo to gather OS version, system configuration, BIOS, the motherboard, and processor. [1]
Collection::Keylogging (F0002) Keylogger plugin allows for collection of keystrokes. [2]
Collection::Screen Capture (E1113) Malware contains a screenshot plugin that allows for the collection of screenshots. [2]
Persistence::Registry Run Keys / Startup Folder (F0012) BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder, allowing it to persist via a Run registry key. [1] [4]
Impact::Data Destruction (E1485) BlackEnergy 2 variant contains a Destroy plugin that destroys data stored on victim hard drives by overwriting file contents. [3]
Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) BlackEnergy encrypts data using RC4 via WinAPI. [4]
Discovery::File and Directory Discovery (E1083) BlackEnergy gets the common file path. [4]

MBC Behaviors

Name Use
Impact::Denial of Service (B0033) Malware was originally built to launch a distributed denial of service attacks that can target more than one IP address per hostname. [1]
Execution::Remote Commands (B0011) Malware-infected bots receive commands from botmaster to load plugins associated with botmaster's goals. [1]
Anti-Static Analysis::Disassembler Evasion::Argument Obfuscation (B0012.001) BlackEnergy contains obfuscated stack strings. [4]
Communication::HTTP Communication::Extract Body (C0002.011) BlackEnergy extracts the HTTP body. [4]
Communication::HTTP Communication::IWebBrowser (C0002.010) The malware initializes IWebBrowser2. [4]
Cryptography::Cryptographic Hash (C0029) BlackEnergy hashes data via WinCrypt. [4]
Cryptography::Cryptographic Hash::MD5 (C0029.001) BlackEnergy hashes data with MD5. [4]
Cryptography::Cryptographic Hash::SHA1 (C0029.002) BlackEnergy hashes data using SHA1. [4]
Cryptography::Decrypt Data (C0031) BlackEnergy encrypts or decrypts via WinCrypt. [4]
Cryptography::Encrypt Data::RC4 (C0027.009) BlackEnergy encrypts data using RC4 via WinAPI. [4]
Cryptography::Encryption Key (C0028) BlackEnergy creates new key via CryptAcquireContext. [4]
Cryptography::Generate Pseudo-random Sequence::Use API (C0021.003) BlackEnergy generates random numbers via WinAPI. [4]
Discovery::Code Discovery::Enumerate PE Sections (B0046.001) BlackEnergy enumerates PE sections. [4]
Operating System::Registry::Query Registry Key (C0036.005) BlackEnergy queries or enumerates a registry key. [4]
Operating System::Registry::Query Registry Value (C0036.006) BlackEnergy queries or enumerates a registry value. [4]
Process::Create Process (C0017) BlackEnergy creates a process on Windows. [4]
Process::Terminate Process (C0018) BlackEnergy terminates a process via fastfail. [4]

Indicators of Compromise

SHA256 Hashes

  • e791718c0141e3829608142fb0f0d35c9af270f78ae0b72fce2edd07a9684568
  • d841d9092239fc029b10da01c19868749b0f6bd757926ff04674658468495808
  • bc062acda428f55782710f9c4f2df88c26dfbc004b94b479459f8572b1219444
  • 16d68b740b5d9aa60929e39fd616d31be2c8528d0f1e58db4cbb16976f7cd725
  • af62f29ac01e8335bf41c02c1460ebafcbaf94956b1001f7d515eecf63cea4f2
  • 47aea6a4e1da1fb8b454c038c21736bee53d59d095a4f5b866d5dd8158fead41
  • 4b2efcda5269f4b80dc417a2b01332185f2fafabd8ba7114fa0306baaab5a72d
  • b1ca89de93a1d9bf17cdbf8a3c61e7f52f275a3bcbbd285d35d6a40c45dde9bd
  • 951e5623c20d4e9ab158fe105436389dbf61327b2c87b7fb36f8ad3ff5ad9bde
  • f8b974cf978a3828aeb9b83fc48645da576e4b90dd47c2b82a46f6c14665a9e5
  • 91f72808aaed45a76ff1044a23fd6df4b7ab7ace292725522518feb9c0b8574e
  • 2aade7381aa87f55b7d7a5284d22be5472fd8cd966d216fd4445ca3a8bbb3ff3
  • 01425582aa5001342b985270a365fd92d909be011384247e81872bff586fa142
  • 9e9a6f1d046e0f5da10aa0e18bba248df4f818d342ed359c35fdb000f1354819

References

[1] https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf

[2] https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/

[3] https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/

[4] capa v4.0, analyzed at MITRE on 10/12/2022