PROJECT

GreyEnergy

Dissecting the Malware from Maldoc to Backdoor

Overview
When the GreyEnergy Advanced Persistent Threat (APT) was unveiled by ESET last year, our researcher Alessandro Di Pinto put his reverse engineering skills to work to analyze one of the malware’s infection techniques. This was the phishing email containing a malicious Microsoft Word document (maldoc) that lead to the installation of the malware (backdoor) on a victim’s network.

Alessandro published a Research Paper and several blogs that provide a comprehensive analysis of how the malware works, from the maldoc, to the custom packer and the final dropper (backdoor). The deepest analysis is done on the packer, an executable that decrypts and decompresses another executable inside itself.

The analysis shows that the GreyEnergy packer is robust and capable of significantly slowing down the reverse engineering process. The techniques used are not new, but both the tools and the tactics employed were cleverly selected. The threat actors’ broad use of anti-forensic techniques underlines their attempt to be stealthy and ensure that the infection would go unnoticed.

As a direct outcome of this analysis, two tools were freely released, the GreyEnergy Yara Module and the GreyEnergy Unpacker. We hope these tools facilitate further GreyEnergy analysis and help the security community better defend critical infrastructure systems in the future.

 Research Reports

Tools

Labs Blogs

GreyEnergy Malware Research Paper: Maldoc to Backdoor

When the GreyEnergy Advanced Persistent Threat (APT) was unveiled last year, I decided to put my reverse engineering skills to work and study one of its infection techniques.

Find out about the methods the malware’s packer stage used to conceal its true functionality, plus get access to my full Research Paper, in today’s article.

read more

Analyzing the GreyEnergy Malware: from Maldoc to Backdoor

GreyEnergy is an Advanced Persistent Threat (APT) which has been targeting industrial networks in Eastern European countries for several years.

As a security analyst, I have studied the malware and provide a detailed description of how it works, from the moment that someone receives a phishing email, until the malware is installed in a PC. We also provide the GreyEnergy Unpacker, a free tool for other analysts to use for further analysis of this advanced persistent threat.

read more

GreyEnergy Malware Targets Industrial Critical Infrastructure

Recently a new advanced threat targeting the energy sector was disclosed. Called GreyEnergy, this malware is the successor to BlackEnergy, which brought down part of the Ukraine power grid in 2015.
Because of the significance of the malware, our Nozomi Networks Security Research team is evaluating it. Find out what is known about the malware to date.

read more

© 2019 Nozomi Networks, Inc.
All Rights Reserved.

Share This