Alleviating BlackEnergy-Enabled DDoS Attacks | WhoisXML API

Threat Reports

Alleviating BlackEnergy-Enabled DDoS Attacks

BlackEnergy was originally sold as a crimeware toolkit when it first surfaced in 2007. Since then, it has undergone modifications that have made it one of advanced persistent threat (APT) actors’ go-to attack tools. Used in the Ukraine power grid attack in 2015, the malware effectively used a distributed denial-of-service (DDoS) attack to hide their true goal—data stealing.1 

WhoisXML API and threat researcher Dancho Danchev sought to expand the current list of indicators of compromise (IoCs) for the most recent BlackEnergy attack on the State Bar of Georgia.2 Findings include:

  • Close to 50 IP addresses to which the domains identified as IoCs resolved
  • Two unredacted email addresses used to register the domains tagged as IoCs
  • More than 6,000 domains that shared the IoCs’ registrant email addresses or IP addresses, more than 100 of which were dubbed “malicious” by various malware engines

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/faq-blackenergy
  • [2] https://portswigger.net/daily-swig/state-bar-of-georgia-reels-from-cyber-attack
Try our WhoisXML API for free
Get started