BlackEnergy

the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).

In December 2015, the lights went out for roughly 225,000 people in western Ukraine. The attackers did not start on the plant floor, they started months earlier with a spear-phishing email to the IT side of three regional electricity distributors...

Sometimes threat actors will plan a multi-pronged attack. For example, an intruder may decide to use a targeted spear-phishing attack to infiltrate the corporate network and use it as a vector into the control system architecture.

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

The malware can infect a system by exploiting a standard feature in Windows that elevates the user privilege of a system file, allowing execution of the command executable with administrative privilege...

One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.

the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).

During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.

The content repeatedly notes creation of '.lnk shortcut' files in the Startup folder, such as BACKSPACE creating a shortcut in CSIDL_STARTUP, DarkGate creating an LNK object in the victim startup folder, and Operation Dream Job placing LNK files into victims' startup folder.

The content repeatedly describes adversaries and malware injecting code, shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, wuauclt.exe, lsass.exe, and browser processes.

The malware can infect a system by exploiting a standard feature in Windows that elevates the user privilege of a system file, allowing execution of the command executable with administrative privilege—even if the user is not a member of the administrator group.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.

The content repeatedly notes creation of '.lnk shortcut' files in the Startup folder, such as BACKSPACE creating a shortcut in CSIDL_STARTUP, DarkGate creating an LNK object in the victim startup folder, and Operation Dream Job placing LNK files into victims' startup folder.

The malware can infect a system by exploiting a standard feature in Windows that elevates the user privilege of a system file...

The content repeatedly describes adversaries and malware injecting code, shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, wuauclt.exe, lsass.exe, and browser processes.

BlackEnergy has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.

Malware families such as CrashOverride and BlackEnergy, among others, demonstrate the ability to disrupt physical processes, while living-off-the-land (LOTL) techniques allow attackers to blend into normal operations.

One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.

BlackEnergy has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.

AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine. Agent Tesla has the ability to extract credentials from configuration or support files. APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.

The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

BlackEnergy has gathered information about network IP configurations using ipconfig.exe and about routing tables using route.exe.

The content repeatedly describes threat actors and malware performing network scanning, port scanning, service enumeration, OS fingerprinting, and identifying open ports/services across victim environments.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

The content repeatedly describes malware and threat actors identifying, monitoring, or enumerating connected peripheral devices such as USB mass storage, Bluetooth devices, printers, smart card readers, cameras, Apple devices, VGA/display devices, and removable drives.

The report notes that adversaries are exploiting weak segmentation, compromised credentials and supply chain vulnerabilities to pivot from IT into OT networks.

BlackEnergy has the capability to communicate over a backup channel via plus.google.com.

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

a command and control component executes... to obtain additional attack modules that search out additional resources within the network for new targets of opportunity.

According to the indictment, beginning in or around November 2015 and continuing until at least in or around October 2019, the defendants and their co-conspirators deployed destructive malware and took other disruptive actions ... Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer ... NotPetya ... and Olympic Destroyer

According to a study by Arbor Networks titled “Politically Motivated Distributed Denial of Service Attacks,” the pro-Kremlin youth group Nashi was allegedly involved in a DDoS attack against Estonia... The study also found that during the brief Russo-Georgian war, a DDoS attack was launched in sync with Russian tanks from various BlackEnergy-based botnets.

BlackEnergy was originally designed to be an HTTP-based botnet to perform DDoS attacks... This page contains instructions regarding the commands supported by the malware: flood: starts a DDoS attack (ICMP, SYN, TCP/UDP, HTTP)