Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed

Search

GreyEnergy and Zebrocy Targets Overlapping

GreyEnergy, believed to be the successor to BlackEnergy, is a malware family discovered by ESET researchers that is known to attack targets in Central and Eastern Europe. BlackEnergy is a group known for its involvement in attacks against Ukrainian energy facilities back in December of 2015. Similar to parent BlackEnergy, GreyEnergy is also interested in industrial targets.

Zebrocy is a family of malware used by APT28 (also known as Fancy Bear or Sofacy, among others) that is comprised of downloaders and backdoors written in Delphi and AutoIt. Named by Kaspersky in their APT Trends report in Q2 2017, Zebrocy was first spotted near the end of 2015. Zebrocy is known to target mainly government-related entities across the Middle East, Europe and Asia.

In June 2018, both malware families were being hosted on 193.23.181[.]151. The following table shows the samples that were found:

  • GreyEnergy
    • 11227eca89cc053fb189fac3ebf27497
    • 4de5adb865b5198b4f2593ad436fceff
  • Zebrocy
    • 7f20f7fbce9deee893dbce1a1b62827d
    • 170d2721b91482e5cabf3d2fec091151
    • eae0b8997c82ebd93e999d4ce14dedf5
    • a5cbf5a131e84cd2c0a11fca5ddaa50a
    • c9e1b0628ac62e5cb01bf1fa30ac8317

At about the same timeframe, both groups could be seen utilizing 185.217.0[.]124 to host samples as well.

  • GreyEnergy
    • a541295eca38eaa4fde122468d633083
    • 78734cd268e5c9ab4184e1bbe21a6eb9
  • Zebrocy
    • 7f20f7fbce9deee893dbce1a1b62827d
    • 170d2721b91482e5cabf3d2fec091151
    • 3803af6700ff4f712cd698cee262d4ac
    • e3100228f90692a19f88d9acb620960d

Each of the samples listed were used to target industrial companies located in Kazakhstan from May 2018 to June 2018. While there is no definitive proof that the APT28 and GreyEnergy are related, a recent report by Kaspersky seems to suggest that the similar timing and targets may point to a relationship between the two. To keep our customers protected, all indicators listed have also been added to our threat intelligence service monitoring and Vision products.