BlackEnergy
   HOME

TheInfoList



Click Here for Items Related To - BlackEnergy
OR:
BlackEnergy on:   [Wikipedia]   [Google]   [Amazon]

BlackEnergy Malware was first reported in 2007 as an HTTP-based toolkit that generated bots to execute
distributed denial of service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...
attacks. In 2010, BlackEnergy 2 emerged with capabilities beyond DDoS. In 2014, BlackEnergy 3 came equipped with a variety of plug-ins. A Russian-based group known as Sandworm (aka Voodoo Bear) is attributed with using BlackEnergy targeted attacks. The attack is distributed via a Word document or PowerPoint attachment in an email, luring victims into clicking the seemingly legitimate file.


BlackEnergy 1 (BE1)

BlackEnergy's code facilitates different attack types to infect target machines. It is also equipped with server-side scripts which the perpetrators can develop in the
command and control Command and control (abbr. C2) is a "set of organizational and technical attributes and processes ... hatemploys human, physical, and information resources to solve problems and accomplish missions" to achieve the goals of an organization or en ...
(C&C) server. Cybercriminals use the BlackEnergy bot builder toolkit to generate customized bot client executable files that are then distributed to targets via
email spam Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoida ...
and
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
e-mail campaigns. BE1 lacks the exploit functionalities and relies on external tools to load the bot. BlackEnergy can be detected using the
YARA Yara may refer to: People * YARA (girl group), a Filipino girl group * Yara (given name) * Yara (surname), a Japanese surname * Yara (singer) (born 1983), Lebanese pop singer * Yara (footballer) (born 1964), Brazilian footballer Locations * Y ...
signatures provided by the
United States Department of Homeland Security The United States Department of Homeland Security (DHS) is the Federal government of the United States, U.S. United States federal executive departments, federal executive department responsible for public security, roughly comparable to the I ...
(DHS).


Key features

* Can target more than one
IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
per hostname * Has a runtime encrypter to evade detection by antivirus software * Hides its processes in a system driver (syssrv.sys)


Command types

* DDoS attack commands (e.g. ICMP flood, TCP SYN flood, UDP flood, HTTP get flood, DNS flood, etc.) * Download commands to retrieve and launch new or updated executables from its server * Control commands (e.g. stop, wait, or die)


BlackEnergy 2 (BE2)

BlackEnergy 2 uses sophisticated
rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...
/process-injection techniques, robust encryption, and a modular architecture known as a "dropper". This decrypts and decompresses the rootkit driver binary and installs it on the victim machine as a server with a randomly generated name. As an update on BlackEnergy 1, it combines older rootkit source code with new functions for unpacking and injecting modules into user processes. Packed content is compressed using the
LZ77 LZ77 and LZ78 are the two lossless data compression algorithms published in papers by Abraham Lempel and Jacob Ziv in 1977 and 1978. They are also known as LZ1 and LZ2 respectively. These two algorithms form the basis for many variations includin ...
algorithm and encrypted using a modified version of the
RC4 In cryptography, RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR, meaning Alleged RC4, see below) is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, ren ...
cipher. A hard-coded 128-bit key decrypts embedded content. For decrypting network traffic, the cipher uses the bot's unique identification string as the key. A second variation of the encryption/compression scheme adds an initialization vector to the modified RC4 cipher for additional protection in the dropper and rootkit unpacking stub, but is not used in the inner rootkit nor in the userspace modules. The primary modification in the RC4 implementation in BlackEnergy 2 lies in the key-scheduling algorithm.


Capabilities

* Can execute local files * Can download and execute remote files * Updates itself and its plugins with command and control servers * Can execute die or destroy commands


BlackEnergy 3 (BE3)

The latest full version of BlackEnergy emerged in 2014. The changes simplified the malware code: this version installer drops the main
dynamically linked library Dynamic-link library (DLL) is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems. These libraries usually have the file extension DLL, OCX (for libraries containing ActiveX controls), or ...
(DLL) component directly to the local application data folder. This variant of the malware was involved in the
December 2015 Ukraine power grid cyberattack On December 23, 2015, the power grid in two western oblasts of Ukraine was hacked, which resulted in power outages for roughly 230,000 consumers in Ukraine for 1-6 hours. The attack took place during the ongoing Russo-Ukrainian War (2014-present) ...
.


Plug-ins

* fs.dll —
File system In computing, file system or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one larg ...
operations * si.dll — System information, “BlackEnergy Lite” * jn.dll — Parasitic infector * ki.dll —
Keystroke Logging Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...
* ps.dll — Password stealer * ss.dll —
Screenshot screenshot (also known as screen capture or screen grab) is a digital image that shows the contents of a computer display. A screenshot is created by the operating system or software running on the device powering the display. Additionally, s ...
s * vs.dll — Network discovery, remote execution * tv.dll — Team viewer * rd.dll — Simple pseudo “remote desktop” * up.dll — Update malware * dc.dll — List Windows accounts * bs.dll — Query system hardware, BIOS, and Windows info * dstr.dll — Destroy system * scan.dll — Network scan


References

{{Hacking in the 2010s Malware toolkits Windows trojans Cyberattacks on energy sector