Nozomi Network Labs Project
GreyEnergy
Dissecting the Malware from Maldoc to Backdoor
Overview
When the GreyEnergy Advanced Persistent Threat (APT) was unveiled by ESET last year, our researcher Alessandro Di Pinto put his reverse engineering skills to work to analyze one of the malware’s infection techniques. This was the phishing email containing a malicious Microsoft Word document (maldoc) that lead to the installation of the malware (backdoor) on a victim’s network.
Alessandro published a Research Paper and several blogs that provide a comprehensive analysis of how the malware works, from the maldoc, to the custom packer and the final dropper (backdoor). The deepest analysis is done on the packer, an executable that decrypts and decompresses another executable inside itself.
The analysis shows that the GreyEnergy packer is robust and capable of significantly slowing down the reverse engineering process. The techniques used are not new, but both the tools and the tactics employed were cleverly selected. The threat actors’ broad use of anti-forensic techniques underlines their attempt to be stealthy and ensure that the infection would go unnoticed.
As a direct outcome of this analysis, two tools were freely released, the GreyEnergy Yara Module and the GreyEnergy Unpacker. We hope these tools facilitate further GreyEnergy analysis and help the security community better defend critical infrastructure systems in the future.
Reports
- Research Papers
GreyEnergy: Dissecting the Malware from Maldoc to Backdoor
Tools
Guardian Community Edition Assertions (Queries) for COVID-19 Cybersecurity
- by Nozomi Networks
- April 14, 2020
New assertions (queries) have been added to Guardian Community Edition to help with COVID-19-related cybersecurity challenges.
- Assertions for COVID-19 Network Indicators – Queries that check for communications with malicious IP addresses and URLs
- Assertions for Remote Access Monitoring – Queries that check the number of simultaneous remote connections and generate alerts if the number surpasses a threshold.
COVID-19 Malware: OT and IoT Threat Intelligence
- by Nozomi Networks
- April 7, 2020
To help your organization proactively detect and prevent COVID-19 themed cyberattacks, download our network indicators, ransomware and malware threat intelligence.
- COVID-19 themed Network Indicators – Network IOCs (Indicators of Compromise)
- COVID-19-Themed Ransomware Rules – Yara rules for detecting coronavirus ransomware
- COVID-19 Informer Malware Rules– Yara rules for detecting COVID-19 Informer malware
- COVID-19-Themed Hash – List of hashes that detect malicious files
- COVID-19 Chinoxy Backdoor Malware – SNORT rule for detecting network infection
URGENT/11 Nmap NSE Script for Detecting Vulnerabilities
- by Nozomi Networks
- September 5, 2019
- Our Nmap NSE script for detecting URGENT/11 vulnerabilities is a research tool for quickly checking industrial systems for vulnerable assets based on the version of VxWorks exposed within the FTP service.
- Due the fact that is not always possible to detect the running version, we recommend that industrial operators use full featured security products for effective vulnerability assessment.
GreyEnergy Unpacker + Yara Module
- by Nozomi Networks
- February 12, 2019
- GreyEnergy Unpacker – automatically unpacks both the dropper and the backdoor and extracts them onto a disk
- GreyEnergy Yara Module: – determines whether a file processed by Yara is the GreyEnergy packer or not
Labs Blogs
GreyEnergy Malware Research Paper: Maldoc to Backdoor
Analyzing the GreyEnergy Malware: from Maldoc to Backdoor
