PROJECT

GreyEnergy

Dissecting the Malware from Maldoc to Backdoor

Overview
Reports
Tools
Labs Blogs

Overview

When the GreyEnergy Advanced Persistent Threat (APT) was unveiled by ESET last year, our researcher Alessandro Di Pinto put his reverse engineering skills to work to analyze one of the malware’s infection techniques. This was the phishing email containing a malicious Microsoft Word document (maldoc) that lead to the installation of the malware (backdoor) on a victim’s network.

Alessandro published a Research Paper and several blogs that provide a comprehensive analysis of how the malware works, from the maldoc, to the custom packer and the final dropper (backdoor). The deepest analysis is done on the packer, an executable that decrypts and decompresses another executable inside itself.

The analysis shows that the GreyEnergy packer is robust and capable of significantly slowing down the reverse engineering process. The techniques used are not new, but both the tools and the tactics employed were cleverly selected. The threat actors’ broad use of anti-forensic techniques underlines their attempt to be stealthy and ensure that the infection would go unnoticed.

As a direct outcome of this analysis, two tools were freely released, the GreyEnergy Yara Module and the GreyEnergy Unpacker. We hope these tools facilitate further GreyEnergy analysis and help the security community better defend critical infrastructure systems in the future.

Reports

GreyEnergy: Dissecting the Malware from Maldoc to Backdoor, Comprehensive Reverse Engineering Analysis

by Nozomi Networks Labs and Nozomi Networks | Feb 12, 2019

A comprehensive analysis of one the GreyEnergy malware’s infection techniques, a phishing email, from the maldoc, to the custom packer and the final dropper (backdoor). The deepest reverse engineering is done on the packer. Two new tools were released to support further analysis of GreyEnergy.

Download

Tools

Guardian Community Edition Assertions (Queries) for COVID-19 Cybersecurity

by Nozomi Networks Labs | Apr 14, 2020

New assertions (queries) have been added to Guardian Community Edition to help with COVID-19-related cybersecurity challenges.

Assertions for COVID-19 Network Indicators – Queries that check for communications with malicious IP addresses and URLs
Assertions for Remote Access Monitoring – Queries that check the number of simultaneous remote connections and generate alerts if the number surpasses a threshold.

COVID-19 Malware: OT and IoT Threat Intelligence

by Nozomi Networks Labs | Apr 7, 2020

To help your organization proactively detect and prevent COVID-19 themed cyberattacks, download our network indicators, ransomware and malware threat intelligence.

COVID-19 themed Network Indicators – Network IOCs (Indicators of Compromise)
COVID-19-Themed Ransomware Rules – Yara rules for detecting coronavirus ransomware
COVID-19 Informer Malware Rules– Yara rules for detecting COVID-19 Informer malware
COVID-19-Themed Hash – List of hashes that detect malicious files
COVID-19 Chinoxy Backdoor Malware – SNORT rule for detecting network infection

GitHub

URGENT/11 Nmap NSE Script for Detecting Vulnerabilities

by Nozomi Networks Labs | Sep 5, 2019

Our Nmap NSE script for detecting URGENT/11 vulnerabilities is a research tool for quickly checking industrial systems for vulnerable assets based on the version of VxWorks exposed within the FTP service.
Due the fact that is not always possible to detect the running version, we recommend that industrial operators use full featured security products for effective vulnerability assessment.

GitHub

GreyEnergy Unpacker + Yara Module

by Nozomi Networks Labs | Feb 12, 2019

GreyEnergy Unpacker – automatically unpacks both the dropper and the backdoor and extracts them onto a disk
GreyEnergy Yara Module: – determines whether a file processed by Yara is the GreyEnergy packer or not

GitHub

Labs Blogs

GreyEnergy Malware Research Paper: Maldoc to Backdoor

by Alessandro Di Pinto | Feb 12, 2019

When the GreyEnergy Advanced Persistent Threat (APT) was unveiled last year, I decided to put my reverse engineering skills to work and study one of its infection techniques.

Find out about the methods the malware’s packer stage used to conceal its true functionality, plus get access to my full Research Paper, in today’s article.

Analyzing the GreyEnergy Malware: from Maldoc to Backdoor

by Alessandro Di Pinto | Nov 20, 2018

GreyEnergy is an Advanced Persistent Threat (APT) which has been targeting industrial networks in Eastern European countries for several years.

As a security analyst, I have studied the malware and provide a detailed description of how it works, from the moment that someone receives a phishing email, until the malware is installed in a PC. We also provide the GreyEnergy Unpacker, a free tool for other analysts to use for further analysis of this advanced persistent threat.

GreyEnergy Malware Targets Industrial Critical Infrastructure

by Alessandro Di Pinto | Oct 29, 2018

Recently a new advanced threat targeting the energy sector was disclosed. Called GreyEnergy, this malware is the successor to BlackEnergy, which brought down part of the Ukraine power grid in 2015.
Because of the significance of the malware, our Nozomi Networks Security Research team is evaluating it. Find out what is known about the malware to date.