BlackEnergy
BlackEnergy is a modular Windows malware family first identified in 2007 that evolved from an HTTP-based DDoS botnet/crimeware toolkit into a backdoor platform used for espionage, credential theft, destructive activity, and operations against critical infrastructure. The content describes multiple generations, including BlackEnergy 2 and BlackEnergy 3. BlackEnergy 2 spread mainly through targeted phishing emails and installed a driver component as a hidden Windows service/device driver, injected into svchost.exe, and included plug-ins such as one using WMI to gather victim host details. BlackEnergy 3 was delivered through phishing emails with malicious Microsoft Office VBA macro documents; the macro reconstructed and executed a dropper, wrote the core DLL as a hidden file under %APPDATA% (for example FONTCACHE.DAT), established persistence via a Startup .lnk that launched rundll32.exe against the DLL, injected into svchost.exe, and periodically spawned iexplore.exe instances that listened on UDP ports as a backdoor. BlackEnergy communicates with command-and-control over HTTP, including HTTP POST requests, and some samples used HTTP CONNECT tunneling and a fallback channel via plus.google.com.
Capabilities directly described in the content include host and network reconnaissance, process and system discovery, port scanning, USB device enumeration including device instance ID and drive geometry, collection of installed application and mail/browser/IM client information from the Registry, screenshot capture, keylogging, and credential theft. BlackEnergy used plug-ins to steal credentials from Firefox, Google Chrome, and Internet Explorer, and to gather credentials stored in files or stores associated with The Bat! email client, Outlook, and Windows Credential Store. It also used systeminfo, ipconfig, route, netstat, tasklist, and WMI for discovery. Persistence and privilege-related behaviors mentioned include creating Windows services, startup shortcut persistence, hijacking disabled driver services, enabling TESTSIGNING to load a driver component, and removing the TESTSIGNING watermark by modifying user32.dll.mui. The malware has also been reported to use valid user and administrator credentials and to create new administrator accounts to maintain presence, and to spread laterally via PsExec and SMB administrative shares.
The family is strongly associated in the content with Sandworm/GRU Unit 74455 and with attacks on Ukrainian government and critical infrastructure, especially the energy sector. BlackEnergy is repeatedly cited in relation to the 2015 Ukraine electric power attack and broader 2015-2016 attacks on Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service. The content states that Sandworm deployed BlackEnergy to steal user credentials and used its destructive component KillDisk to render infected systems inoperable. CERT-UA and ESET reported BlackEnergy downloading and maintaining a Dropbear SSH backdoor and deploying KillDisk during the Ukraine attacks. KillDisk is described as deleting Windows Event Logs, damaging files, corrupting the master boot record, and rendering systems unbootable; BlackEnergy 2 also had a Destroy plug-in that overwrote file contents on victim hard drives. The content notes that BlackEnergy targeted specific vendor HMI products and that organizations with HMI systems directly connected to the Internet were especially susceptible.
High-confidence indicators and artifacts explicitly mentioned include the BlackEnergy 2 service name ACPIEC with registry entries under HKLM\SYSTEM\ControlSet001 and HKLM\SYSTEM\CurrentControlSet, randomly named .sys drivers placed in %windir%\System32\drivers, the BlackEnergy 3 dropper path %TMP%\vba_macro.exe, hidden core DLL storage under %APPDATA%\FONTCACHE.DAT, and persistence via %HOMEPATH%\Start Menu\Programs\Startup<GUID>.lnk executing %windir%\System32\rundll32.exe "%APPDATA%\FONTCACHE.DAT",#1. Example C2 infrastructure in the content includes an HTTP request to /Microsoft/Update/KC074913.php on 5.149.254.114 and an example proxy connection to 5.79.80.166:443. The malware is also referenced as part of a broader BlackEnergy cluster from which GreyEnergy and TeleBots later emerged.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Analysis of victim system artifacts has determined that the actors have been exploiting a vulnerability in GE’s Cimplicity HMI product since at least January 2012. The vulnerability, CVE-2014-0751, was published in ICS‑CERT advisory ICSA-14-023-01 on January 23, 2014.
...a BlackEnergy-based campaign against a variety of overseas targets leveraging vulnerability CVE-2014-4114 (affecting Microsoft Windows and Windows Server 2008 and 2012). ICS-CERT has not observed the use of this vulnerability to target control system environments.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Sandworm's track record also includes a string of attacks – BlackEnergy, GreyEnergy and the first iteration of Industroyer – that targeted energy providers.
This group has been behind several cyber-attacks aimed at Ukraine in the past, such as the NotPetya ransomware outbreak, and the BlackEnergy attacks on Ukraine's power grid in 2015 and 2016.
"The malware, known as BlackEnergy, appears to have been used in cyberattacks against Georgia during the Russo-Georgian conflict of 2008 too, but has also been operated by criminals as a means to steal credit card data."
"ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware... can confirm that a BlackEnergy 3 variant was present in the system."
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesthe defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).
Recent versions of the toolkit use social engineering to trick a user into opening an email or a document attachment that drops a Trojan or infected legitimate executable file on the target computer...
Sometimes threat actors will plan a multi-pronged attack. For example, an intruder may decide to use a targeted spear-phishing attack to infiltrate the corporate network and use it as a vector into the control system architecture.
Execution
4 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
The malware can infect a system by exploiting a standard feature in Windows that elevates the user privilege of a system file, allowing execution of the command executable with administrative privilege...
The report indicates users opened attacker-supplied files that initiated compromise, consistent with document-based infection used alongside BlackEnergy.
One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.
Persistence
4 techniquesthe defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).
One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.
The content repeatedly notes creation of '.lnk shortcut' files in the Startup folder, such as BACKSPACE creating a shortcut in CSIDL_STARTUP, DarkGate creating an LNK object in the victim startup folder, and Operation Dream Job placing LNK files into victims' startup folder.
Privilege Escalation
6 techniquesThe content repeatedly describes adversaries and malware injecting code, shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, wuauclt.exe, lsass.exe, and browser processes.
The malware can infect a system by exploiting a standard feature in Windows that elevates the user privilege of a system file, allowing execution of the command executable with administrative privilege—even if the user is not a member of the administrator group.
One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.
The content repeatedly notes creation of '.lnk shortcut' files in the Startup folder, such as BACKSPACE creating a shortcut in CSIDL_STARTUP, DarkGate creating an LNK object in the victim startup folder, and Operation Dream Job placing LNK files into victims' startup folder.
The malware can infect a system by exploiting a standard feature in Windows that elevates the user privilege of a system file...
Stealth
4 techniquesThe content repeatedly describes adversaries and malware injecting code, shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, wuauclt.exe, lsass.exe, and browser processes.
BlackEnergy has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.
Malware families such as CrashOverride and BlackEnergy, among others, demonstrate the ability to disrupt physical processes, while living-off-the-land (LOTL) techniques allow attackers to blend into normal operations.
One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.
Defense Impairment
1 techniqueBlackEnergy has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.
Credential Access
4 techniquesBlackEnergy has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Outlook, and Windows Credential Store.
AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine. Agent Tesla has the ability to extract credentials from configuration or support files. APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.
The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.
Discovery
7 techniquesThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
BlackEnergy has gathered information about network IP configurations using ipconfig.exe and about routing tables using route.exe.
The content repeatedly describes threat actors and malware performing network scanning, port scanning, service enumeration, OS fingerprinting, and identifying open ports/services across victim environments.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types.
The content repeatedly describes malware and threat actors identifying, monitoring, or enumerating connected peripheral devices such as USB mass storage, Bluetooth devices, printers, smart card readers, cameras, Apple devices, VGA/display devices, and removable drives.
Lateral Movement
1 techniqueThe report notes that adversaries are exploiting weak segmentation, compromised credentials and supply chain vulnerabilities to pivot from IT into OT networks.
Collection
1 techniqueCommand and Control
3 techniquesBlackEnergy has the capability to communicate over a backup channel via plus.google.com.
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
a command and control component executes... to obtain additional attack modules that search out additional resources within the network for new targets of opportunity.
Impact
3 techniquesAccording to the indictment, beginning in or around November 2015 and continuing until at least in or around October 2019, the defendants and their co-conspirators deployed destructive malware and took other disruptive actions ... Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer ... NotPetya ... and Olympic Destroyer
According to a study by Arbor Networks titled “Politically Motivated Distributed Denial of Service Attacks,” the pro-Kremlin youth group Nashi was allegedly involved in a DDoS attack against Estonia... The study also found that during the brief Russo-Georgian war, a DDoS attack was launched in sync with Russian tanks from various BlackEnergy-based botnets.
BlackEnergy was originally designed to be an HTTP-based botnet to perform DDoS attacks... This page contains instructions regarding the commands supported by the malware: flood: starts a DDoS attack (ICMP, SYN, TCP/UDP, HTTP)
Recent activity
105 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware associated in the content with the 2015 Ukraine power grid attack that caused a cyber-induced blackout.
Malware family cited as capable of disrupting physical processes in OT environments.
ICS-targeting malware cited as demonstrating the ability to disrupt operations, cause outages, and inflict physical damage.
Malware/backdoor family cited as capable of disrupting industrial processes and power supplies in critical infrastructure settings.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.