{
	"id": "352a35d7-9c63-46b4-a997-ed8899eb9df2",
	"created_at": "2026-04-06T00:17:49.312301Z",
	"updated_at": "2026-04-10T13:12:43.475199Z",
	"deleted_at": null,
	"sha1_hash": "911fecedd1e7e99cb9f491c9c96c6d7f15a4862c",
	"title": "Black Energy – Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2298853,
	"plain_text": "Black Energy – Analysis\r\nBy by Marcus Edmondson\r\nPublished: 2019-01-18 · Archived: 2026-04-05 17:01:45 UTC\r\nSo today I wanted to do a blog post on Black Energy. The sample I will be working with was sourced from hybrid analysis\r\nhere: https://www.hybrid-analysis.com/sample/39d04828ab0bba42a0e4cdd53fe1c04e4eef6d7b26d0008bd0d88b06cc316a81?environmentId=4. This\r\nparticular piece of malware was used to target the networks used to control power grids and has been associated to the\r\nSandworm Team, who used it to also target organizations in the Ukraine.  According to Mitre the Sandworm Team is a\r\nRussian cyber espionage group that has operated since approximately 2009.  The group likely consists of Russian pro-hacktivists. Sandworm Team targets mainly Ukrainian entities associated with energy, industrial control systems, SCADA,\r\ngovernment, and media. Sandworm Team has been linked to the Ukrainian energy sector attack in late 2015. So now that we\r\nhave a little background lets start our analysis.\r\nWhen you initially open up the document you are greeted with this.\r\nI don’t speak Russian but, I’m pretty sure this is telling the user to view this document you need to enable the content. So\r\nlets do it and see what we can get. I’m going to use my usual setup of RegShot/Procmon and Process Hacker with my\r\nWindows VM pointing to my Remnux VM where I will have fakedns, inestsim and Wireshark running. So here is what\r\nRegShot is showing me.\r\nhttps://marcusedmondson.com/2019/01/18/black-energy-analysis/\r\nPage 1 of 6\n\nAfter taking a quick look it looks like we have a .lnk file being dropped into the Startup folder which is a pretty common\r\npersistence technique used by malware. Inside the .lnk file the target is: %windir%\\System32\\rundll32.exe\r\n“C:\\Users\\IEUser\\AppData\\Local\\FONTCACHE.DAT”,#1. We also have multiple other processes being kicked off by the\r\nword document, one of which is vba_macro.exe that runs and deletes itself. Here is the process listing from Process Hacker.\r\nAfter looking at Wireshark we also have a network connection going to\r\n5[.]149[.]254[.]114//Microsoft/Update/KC074913[.]php and sending back some base64 to the server.\r\nhttps://marcusedmondson.com/2019/01/18/black-energy-analysis/\r\nPage 2 of 6\n\nThe base64 wil decode to this:\r\nb_id=MSEDGEWIN10_320E10D4F923CEC8B1A11E4A1DB9950D\u0026b_gen=301018stb\u0026b_ver=2.3\u0026os_v=17134\u0026os_type=1\r\nWhich is the malware fingerprinting the host OS versions.\r\nI also want to cover a quick way for you to dump vba_macro.exe before it runs and deletes itself. So on the Word document\r\nclick alt+F11 or on Mac option+F11, this will bring up the Visual Basic window showing the macros. At the very beginning\r\nyou see array after array of numbers, which appears to possibly be machine code.\r\nhttps://marcusedmondson.com/2019/01/18/black-energy-analysis/\r\nPage 3 of 6\n\nIf you scroll down to the bottom you will see the meat of what’s happening. It is looping over the arrays and writing it to a\r\nfile called vba_macro. So we will put a breakpoint right after the loop ends and then run the macros to dump the file, which\r\nwe will then move to the desktop.\r\nhttps://marcusedmondson.com/2019/01/18/black-energy-analysis/\r\nPage 4 of 6\n\nSo as I started analyzing vba_macro I loaded it into IDA to get a look at the imports and strings, I noticed most of the\r\nimports had no xrefs which puzzled me for a while, I think a lot of the imports are in there to send the analyst down rabbit\r\nholes. So I loaded vba_macro up in x32dbg and set breakpoints on some Native API functions like NtWriteFile,\r\nNtOpenProcess, etc… I did this because I remember reading that malware will sometimes use these lower level API’s to\r\navoid detection. I then started running it to see what I could find.\r\nSo here is a call to NtWriteFile where it looks like it is creating the .lnk file.\r\nAnd here is a call to ShellExecuteW opening the .lnk file.\r\nSo to sum things up a quick down and dirty of my interpretation of what this malware is doing:\r\n1. Word document macros run which drop vba_macro to disk.\r\n2. vba_macro creates the .lnk and fontcache.dat and runs .lnk file which in turn runs fontcache.dat with rundll32 which\r\nprovides the network connectivity to the above address we talked about.\r\n3. vba_macro also kicks off a cmd.exe which is continually running PING.exe and attrib.exe.\r\nSo thank you for reading and hope this has helped someone to learn something new and until next time…\r\nHappy hunting,\r\nMarcus\r\nReferences:\r\nhttps://marcusedmondson.com/2019/01/18/black-energy-analysis/\r\nPage 5 of 6\n\nhttps://attack.mitre.org/groups/G0034/\r\nhttps://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/\r\nhttps://threatconnect.com/blog/casting-a-light-on-blackenergy/\r\nSource: https://marcusedmondson.com/2019/01/18/black-energy-analysis/\r\nhttps://marcusedmondson.com/2019/01/18/black-energy-analysis/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://marcusedmondson.com/2019/01/18/black-energy-analysis/"
	],
	"report_names": [
		"black-energy-analysis"
	],
	"threat_actors": [
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434669,
	"ts_updated_at": 1775826763,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/911fecedd1e7e99cb9f491c9c96c6d7f15a4862c.pdf",
		"text": "https://archive.orkl.eu/911fecedd1e7e99cb9f491c9c96c6d7f15a4862c.txt",
		"img": "https://archive.orkl.eu/911fecedd1e7e99cb9f491c9c96c6d7f15a4862c.jpg"
	}
}