Norton Santos

Detecting BlackEnergy using Security Analytics

Discussion created by Norton Santos Employee on Mar 23, 2016

BlackEnergy is a modular backdoor that can be used for several purposes, like espionage and downloading of destructive components to compromise target systems. BlackEnergy malware family has been around since 2007. It started as an HTTP-based botnet for DDoS attacks.



It evolved to BlackEnergy2, a driver component based rootkit installed as a backdoor and now it has evolved to its latest version, BlackEnergy3, which is behind the recent attacks against Ukraine electrical power industry by cybercriminals.


The malware spreads mainly through targeted phishing attacks by e-mail containing Microsoft Office files with malicious VBA macros as attachments.



BlackEnergy uses its modular architecture that supports several plugins to download and keep running both backdoors (such as variants of Dropbear SSH backdoor) and several kinds of plugins (such as a new destructive plugin called KillDisk, used in the recent Ukraine attacks).


In this blog post, we will discuss how to detect its C2 beaconing activity.

Once the malware is installed in the target system, the backdoor will listen and communicate with the remote C2 server.


Following is an example of a HTTP request sent from the malware to the C2:


POST /Microsoft/Update/KC074913.php HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)


Content-Length: 143

Connection: Keep-Alive




Where ‘body’ contains Base64 encoded data which refers to bot and operating system information:




Following is an example of a C2 response sent to the malware:


HTTP/1.1 200 OK

Server: nginx

Date: Tue, 24 Mar 2015 09:44:21 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=5

X-Powered-By: PHP/5.3.3  




Where the C2 response is encrypted.

Different malware variants may use different directory or filenames in the URL, for example:


URL: http: //<ip address>:80/osupdate/getcfg.php


USER AGENT: iexplorer8.0


URL: http: //<ip address>:80/update/check.php


USER AGENT: iexplorer8.0


URL: http: //<ip address>/551/getcfg.php


USER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)


Other samples have the ability to use HTTP CONNECT tunneling to connect to proxy servers, as can be seen in the following POST request:


CONNECT <ip address>:443 HTTP/1.0

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)


Content-Length: 0

Proxy-Connection: Keep-Alive

Pragma: no-cache


The screenshot below shows the network activity in RSA Security Analytics investigator:



Assuming the appropriate meta keys are enabled, this blog report suggests the following query to detect the malware activity: = 'http direct to ip request' && = 'http1.1 without connection header' &&

service=80 &&

extension=php &&

referer !exists &&

action=put && content='application/x-www-form-urlencoded'


This query is generic and may catch still suspicious traffic, but not necessarily belonging to BlackEnergy, since the directory and filenames may vary depending on the sample.


Scan results for a BlackEnergy variant can be viewed here.


The full and complete BlackEnergy report can be found here.


All of the IOCs from those HTTP sessions were added to the following RSA FirstWatch Live feeds:


  • RSA FirstWatch APT Threat Domains
  • RSA FirstWatch APT Threat IPs


If threat.desc meta key is enabled then you can use the following app rule:
threat.desc = 'apt-blackenergy-c2'