After BlackEnergy, critical infrastructure around the world is among key targets of the new malware called GreyEnergy.
In its recent research, ESET has revealed details of a new group of cybercriminals dubbed as GreyEnergy, which seems to be the replacement of BlackEnergy APT group.
The BlackEnergy group’s last activity was observed in December 2015 when nearly 230,000 people had to deal with a prolonged blackout due to a cyber attack on Ukrainian power grids.
Since 2016, ESET researchers have noticed, GreyEnergy has been attacking energy firms and other valuable targets in Poland and Ukraine since 2016. It seems as if the targets are critical infrastructure in Ukraine.
The GreyEnergy malware has no destructive capabilities at the moment, and it seems focused on espionage and reconnaissance operations on industrial control system workstations running SCADA software and servers.
However, it has a modular architecture, which means that its capabilities can be further expanded.
The plugins observed by security researchers provide capabilities such as backdoor access, file exfiltration, grabbing screenshots, logging keystrokes, and stealing credentials.
Security researchers at ESET noticed that the initial attack stage uses a different piece of malware, they call ‘GreyEnergy mini’ – also known as FELIXROOT, which does not require administrator privileges.
Its task is to map the network and collect credentials that give the main malware the necessary permissions to take complete control of the network.
The goal is achieved with Nmap and Mimikats, freely available tools designed for security research purposes.
Other legitimate tools used include SysInternals PsExec and WinExe, to perform lateral movement across a compromised network.
Researchers also believe that the group is closely linked to the BlackEnergy group and attackers may be looking to launch cyber espionage attacks in the near future.
Furthermore, ESET researchers have evidence that GreyEnergy is linked to the group behind the highly destructive malware NotPetya, Telebots.
Telebots is believed to have the backing of the GRU, Russian military intelligence service.
Previously, researchers linked Telebots to another malware campaign Industroyer, which caused another blackout in Ukraine in 2016.
It is worth noting that ESET hasn’t really associated GreyEnergy to any specific state of the group, but has only suspected it to have links with different attacks on Ukrainian power grids in the past.
They have declared GreyEnergy as one of the most “dangerous APT groups” that’s been attacking Ukraine for the last three years.
Image credit: ESET
It is identified that GreyEnergy’s primary focus is on targeted attacks and stealth campaigns while the attackers utilize all possible sources to evade detection.
Evidently, the key targets are the energy companies specifically those where industrial control system workstations run on SCADA software.
The reason ESET research believe that GreyEnergy is tied to BlackEnergy is that both are modular and employ a mini backdoor prior to obtaining admin rights after which a full backdoor is rolled out
An interesting discovery ESET made was in one sample of the malware, which was digitally signed with a certificate, most likely stolen, from Advantech, a company in Taiwan that makes industrial equipment and connected devices.
“Since we discovered that exactly the same certificate was used to sign clean, non-malicious software from Advantech, we believe that this certificate was likely stolen.
It is worth noting that the discovered sample does not have countersignatures, which means that the digital signature became invalid once the certificate’s validity period had expired,” ESET notes in its report.
GreyEnergy deploys its malware according to the type of machine it infiltrates.
According to ESET’s research, one method is to run the malware in the memory of the system.
This approach is chosen with servers that have a high uptime, where reboots are rare.
The second type of systems targeted are those where the malware needs persistence because of higher reboot possibility.
In this case, an existing service is selected and a new ServiceDLL registry key is added.
This method may break the system, and to avoid this outcome the malware dropper needs to run a screening process in search of a service that meets a set of requirements.
Researchers say that GreyEnergy’s purpose is to infiltrate deep into the target’s network and collect information.
Unlike TeleBots, it is not in the sabotage business, but this does not exclude the possibility of destructive capabilities to become available at one point.
What is certain, though, is that “that the threat actors responsible for GreyEnergy are extremely dangerous in their persistence and stealth,” the researchers conclude.
Another similarity is that both the groups’ malware use remote command and control servers through active Tor relays.
It is an operational security technique that the group uses to operate covertly.
Moreover, both the campaigns target the energy and critical infrastructure in Ukraine.
One of the victims of BlackEnergy has also been targeted by GreyEnergy.
BlackEnergy has remained inactive from the same time since GreyEnergy has been active, which further substantiates the fact that both groups are linked.
There are also signs that GreyEnergy is an evolved form of BlackEnergy, considering its ultra-modern toolkit that focuses more on stealth and the AES-256 encrypted fileless modules are pushed only when it is most necessary.
These modules run in the memory to hinder the analysis and detection process.
GreyEnergy attacks through spear-phishing emails where users are lured into activating infected macros, and another method is by compromising public web servers.
Vulnerable servers are used to obtain entry into networks and then gradually move across the network to attack targeted systems.
Moreover, the group uses publically available tools such as WinExe, Nmap, Mimikatz, and PsExec to carry out its malicious activities while remaining under the radar at the same time.
ESET warns that the group is active and quite possibly it is preparing another wave of attack or maybe another APT group is being established to carry out more advanced operations.
For an organization to avoid getting attacked by GreyEnergy, here’s what ESET researcher Robert Lipovský recommends.
“Use multi-layered security solutions, including Endpoint Detection and Response, 2FA, backups, updated and patched software, and educate employees to not to fall prey to spear-phishing attacks.”
