Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

BlackEnergy

BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)
ID: S0089
Type: MALWARE
Platforms: Windows
Version: 1.4
Created: 31 May 2017
Last Modified: 06 Oct 2023

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

BlackEnergy attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.(Citation: F-Secure BlackEnergy 2014)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BlackEnergy communicates with its C2 server over HTTP.(Citation: F-Secure BlackEnergy 2014)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.(Citation: F-Secure BlackEnergy 2014)

.009 Boot or Logon Autostart Execution: Shortcut Modification

The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.(Citation: F-Secure BlackEnergy 2014)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.(Citation: F-Secure BlackEnergy 2014)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)

Enterprise T1574 .010 Hijack Execution Flow: Services File Permissions Weakness

One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.(Citation: F-Secure BlackEnergy 2014)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

The BlackEnergy component KillDisk is capable of deleting Windows Event Logs.(Citation: ESEST Black Energy Jan 2016)

Enterprise T1056 .001 Input Capture: Keylogging

BlackEnergy has run a keylogger plug-in on a victim.(Citation: Securelist BlackEnergy Nov 2014)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

BlackEnergy injects its DLL component into svchost.exe.(Citation: F-Secure BlackEnergy 2014)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.(Citation: Securelist BlackEnergy Nov 2014)

Enterprise T1553 .006 Subvert Trust Controls: Code Signing Policy Modification

BlackEnergy has enabled the TESTSIGNING boot configuration option to facilitate loading of a driver component.(Citation: F-Secure BlackEnergy 2014)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

BlackEnergy has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Outlook, and Windows Credential Store.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)

Groups That Use This Software

ID Name References
G0034 Sandworm Team

(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: US District Court Indictment GRU Unit 74455 October 2020) (Citation: UK NCSC Olympic Attacks October 2020) (Citation: Secureworks IRON VIKING )

(Citation: Booz Allen Hamilton)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.