BlackEnergy

An HTTP-based botnet used mostly for DDoS attacks. [1]

ATT&CK Techniques

Name	Use
Defense Evasion::Process Injection::Injection using Shims (E1055.m05)	Bypasses UAC using a Shim Database instructing SndVol.exe to execute cmd.exe instead, allowing for elevated execution [1]
Defense Evasion::Install Insecure or Malicious Configuration (E1479)	Configures the system to the TESTSIGNING boot configuration option to load its unsigned driver component [1] [1]
Defense Evasion::Indicator Blocking (F0006)	Clears windows event logs and removes the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevent strings in the user32.dll.mui of the system [1]
Persistence::Modify Existing Service (F0011)	Locates an inactive driver service to Hijack and set it to start automatically [1]
Defense Evasion::Process Injection (E1055)	injects its dll component into svchost.exe [1]
Discovery::System Information Discovery (E1082)	uses Systeminfo to gather OS version, system configuration, BIOS, the motherboard, and processor [ [1]
Collection::Keylogging (F0002)	Keylogger plugin allows for collection of keystrokes [2]
Collection::Screen Capture (E1113)	Screenshot plugin allows for collection of screenshots [2]
Persistence::Registry Run Keys / Startup Folder (F0012)	BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder [1]
Impact::Data Destruction (E1485)	BlackEnergy 2 variant contains a Destroy plugin that destroys data stored on victim hard drives by overwriting file contents [3]

Name	Use
Impact::Denial of Service (B0033)	Originally built to launch distributed denial of service attacks that can target more than one IP address per hostname [1]
Execution::Remote Commands (B0011)	infected bots receive commands from botmaster to load plugins associated with botmaster's goals [1]

SHA256 Hashes