BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)

BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Services File Permissions Weakness - T1574.010 (9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
BlackEnergy (82c644ab-550a-4a83-9b35-d545f4719069)	Malpedia	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
BlackEnergy (5a22cad7-65fa-4b7a-a7aa-7915a6101efa)	Tool	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4)	Malware	1
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	Services File Permissions Weakness - T1574.010 (9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd)	Attack Pattern	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	2
BlackEnergy (82c644ab-550a-4a83-9b35-d545f4719069)	Malpedia	BlackEnergy (5a22cad7-65fa-4b7a-a7aa-7915a6101efa)	Tool	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	2
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2