BlackEnergy
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
BlackEnergy attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.(Citation: F-Secure BlackEnergy 2014) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BlackEnergy communicates with its C2 server over HTTP.(Citation: F-Secure BlackEnergy 2014) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.(Citation: F-Secure BlackEnergy 2014) |
| .009 | Boot or Logon Autostart Execution: Shortcut Modification |
The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.(Citation: F-Secure BlackEnergy 2014) |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.(Citation: F-Secure BlackEnergy 2014) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014) |
| Enterprise | T1574 | .010 | Hijack Execution Flow: Services File Permissions Weakness |
One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.(Citation: F-Secure BlackEnergy 2014) |
| Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
The BlackEnergy component KillDisk is capable of deleting Windows Event Logs.(Citation: ESEST Black Energy Jan 2016) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
BlackEnergy has run a keylogger plug-in on a victim.(Citation: Securelist BlackEnergy Nov 2014) |
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
BlackEnergy injects its DLL component into svchost.exe.(Citation: F-Secure BlackEnergy 2014) |
| Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.(Citation: Securelist BlackEnergy Nov 2014) |
| Enterprise | T1553 | .006 | Subvert Trust Controls: Code Signing Policy Modification |
BlackEnergy has enabled the |
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
BlackEnergy has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Outlook, and Windows Credential Store.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team |
(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: US District Court Indictment GRU Unit 74455 October 2020) (Citation: UK NCSC Olympic Attacks October 2020) (Citation: Secureworks IRON VIKING ) |
References
- F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
- Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
- Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.
- Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.
- Baumgartner, K. and Garnaeva, M.. (2015, February 17). BE2 extraordinary plugins, Siemens targeting, dev fails. Retrieved March 24, 2016.
- Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.
- Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
- UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.
- Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.