Select Page
PROJECT

GreyEnergy

Dissecting the Malware from Maldoc to Backdoor

  1. Overview
  2. Reports
  3. Tools
  4. Labs Blogs

Overview

When the GreyEnergy Advanced Persistent Threat (APT) was unveiled by ESET last year, our researcher Alessandro Di Pinto put his reverse engineering skills to work to analyze one of the malware’s infection techniques. This was the phishing email containing a malicious Microsoft Word document (maldoc) that lead to the installation of the malware (backdoor) on a victim’s network.

Alessandro published a Research Paper and several blogs that provide a comprehensive analysis of how the malware works, from the maldoc, to the custom packer and the final dropper (backdoor). The deepest analysis is done on the packer, an executable that decrypts and decompresses another executable inside itself.

The analysis shows that the GreyEnergy packer is robust and capable of significantly slowing down the reverse engineering process. The techniques used are not new, but both the tools and the tactics employed were cleverly selected. The threat actors’ broad use of anti-forensic techniques underlines their attempt to be stealthy and ensure that the infection would go unnoticed.

As a direct outcome of this analysis, two tools were freely released, the GreyEnergy Yara Module and the GreyEnergy Unpacker. We hope these tools facilitate further GreyEnergy analysis and help the security community better defend critical infrastructure systems in the future.

 Reports

Tools

Guardian Community Edition Assertions (Queries) for COVID-19 Cybersecurity

by | Apr 14, 2020

New assertions (queries) have been added to Guardian Community Edition to help with COVID-19-related cybersecurity challenges.

COVID-19 Malware: OT and IoT Threat Intelligence

by | Apr 7, 2020

To help your organization proactively detect and prevent COVID-19 themed cyberattacks, download our network indicators, ransomware and malware threat intelligence.

GitHub

URGENT/11 Nmap NSE Script for Detecting Vulnerabilities

by | Sep 5, 2019

  • Our Nmap NSE script for detecting URGENT/11 vulnerabilities is a research tool for quickly checking industrial systems for vulnerable assets based on the version of VxWorks exposed within the FTP service.
  • Due the fact that is not always possible to detect the running version, we recommend that industrial operators use full featured security products for effective vulnerability assessment.
GitHub

Labs Blogs

GreyEnergy Malware Research Paper: Maldoc to Backdoor

by | Feb 12, 2019

When the GreyEnergy Advanced Persistent Threat (APT) was unveiled last year, I decided to put my reverse engineering skills to work and study one of its infection techniques.

Find out about the methods the malware’s packer stage used to conceal its true functionality, plus get access to my full Research Paper, in today’s article.

read more

Analyzing the GreyEnergy Malware: from Maldoc to Backdoor

by | Nov 20, 2018

GreyEnergy is an Advanced Persistent Threat (APT) which has been targeting industrial networks in Eastern European countries for several years.

As a security analyst, I have studied the malware and provide a detailed description of how it works, from the moment that someone receives a phishing email, until the malware is installed in a PC. We also provide the GreyEnergy Unpacker, a free tool for other analysts to use for further analysis of this advanced persistent threat.

read more

GreyEnergy Malware Targets Industrial Critical Infrastructure

by | Oct 29, 2018

Recently a new advanced threat targeting the energy sector was disclosed. Called GreyEnergy, this malware is the successor to BlackEnergy, which brought down part of the Ukraine power grid in 2015.
Because of the significance of the malware, our Nozomi Networks Security Research team is evaluating it. Find out what is known about the malware to date.

read more

© 2020 Nozomi Networks, Inc.
All Rights Reserved.

Share This