Skip to content

Hide Navigation Hide TOC

BlackEnergy (5a22cad7-65fa-4b7a-a7aa-7915a6101efa)

BlackEnergy is a trojan which has undergone significant functional changes since it was first publicly analysed by Arbor Networks in 2007. It has evolved from a relatively simple DDoS trojan into a relatively sophisticated piece of modern malware with a modular architecture, making it a suitable tool for sending spam and for online bank fraud, as well as for targeted attacks. BlackEnergy version 2, which featured rootkit techniques, was documented by SecureWorks in 2010. The targeted attacks recently discovered are proof that the trojan is still alive and kicking in 2014. We provide a technical analysis of the BlackEnergy family, focusing on novel functionality and the differences introduced by new lite variants. We describe the most notable aspects of the malware, including its techniques for bypassing UAC, defeating the signed driver requirement in Windows and a selection of BlackEnergy2 plug-ins used for parasitic file infections, network discovery and remote code execution and data collection.

Cluster A Galaxy A Cluster B Galaxy B Level
BlackEnergy (82c644ab-550a-4a83-9b35-d545f4719069) Malpedia BlackEnergy (5a22cad7-65fa-4b7a-a7aa-7915a6101efa) Tool 1
BlackEnergy (5a22cad7-65fa-4b7a-a7aa-7915a6101efa) Tool BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 1
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern 2
BlackEnergy (82c644ab-550a-4a83-9b35-d545f4719069) Malpedia BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Services File Permissions Weakness - T1574.010 (9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern BlackEnergy - S0089 (54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4) Malware 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 3
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern 3
Services File Permissions Weakness - T1574.010 (9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern 3