Description
[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)
External References
Techniques Used by This Malware
- T1008 — Fallback Channels
- T1016 — System Network Configuration Discovery
- T1021.002 — SMB/Windows Admin Shares
- T1046 — Network Service Discovery
- T1047 — Windows Management Instrumentation
- T1049 — System Network Connections Discovery
- T1055.001 — Dynamic-link Library Injection
- T1056.001 — Keylogging
- T1057 — Process Discovery
- T1070 — Indicator Removal
- T1070.001 — Clear Windows Event Logs
- T1071.001 — Web Protocols
- T1082 — System Information Discovery
- T1083 — File and Directory Discovery
- T1113 — Screen Capture
- T1120 — Peripheral Device Discovery
- T1485 — Data Destruction
- T1543.003 — Windows Service
- T1547.001 — Registry Run Keys / Startup Folder
- T1547.009 — Shortcut Modification
- T1548.002 — Bypass User Account Control
- T1552.001 — Credentials In Files
- T1553.006 — Code Signing Policy Modification
- T1555.003 — Credentials from Web Browsers
- T1574.010 — Services File Permissions Weakness