Nozomi Network Labs Project

GreyEnergy

Dissecting the Malware from Maldoc to Backdoor

Overview

When the GreyEnergy Advanced Persistent Threat (APT) was unveiled by ESET last year, our researcher Alessandro Di Pinto put his reverse engineering skills to work to analyze one of the malware’s infection techniques. This was the phishing email containing a malicious Microsoft Word document (maldoc) that lead to the installation of the malware (backdoor) on a victim’s network.

Alessandro published a Research Paper and several blogs that provide a comprehensive analysis of how the malware works, from the maldoc, to the custom packer and the final dropper (backdoor). The deepest analysis is done on the packer, an executable that decrypts and decompresses another executable inside itself.

The analysis shows that the GreyEnergy packer is robust and capable of significantly slowing down the reverse engineering process. The techniques used are not new, but both the tools and the tactics employed were cleverly selected. The threat actors’ broad use of anti-forensic techniques underlines their attempt to be stealthy and ensure that the infection would go unnoticed.

As a direct outcome of this analysis, two tools were freely released, the GreyEnergy Yara Module and the GreyEnergy Unpacker. We hope these tools facilitate further GreyEnergy analysis and help the security community better defend critical infrastructure systems in the future.

Reports

GreyEnergy: Dissecting the Malware from Maldoc to Backdoor

Tools

Guardian Community Edition Assertions (Queries) for COVID-19 Cybersecurity

New assertions (queries) have been added to Guardian Community Edition to help with COVID-19-related cybersecurity challenges.

COVID-19 Malware: OT and IoT Threat Intelligence

To help your organization proactively detect and prevent COVID-19 themed cyberattacks, download our network indicators, ransomware and malware threat intelligence.

URGENT/11 Nmap NSE Script for Detecting Vulnerabilities

  • Our Nmap NSE script for detecting URGENT/11 vulnerabilities is a research tool for quickly checking industrial systems for vulnerable assets based on the version of VxWorks exposed within the FTP service.
  • Due the fact that is not always possible to detect the running version, we recommend that industrial operators use full featured security products for effective vulnerability assessment.

GreyEnergy Unpacker + Yara Module

  • GreyEnergy Unpacker – automatically unpacks both the dropper and the backdoor and extracts them onto a disk
  • GreyEnergy Yara Module: – determines whether a file processed by Yara is the GreyEnergy packer or not