GreyEnergy is a new malware targeting systems in critical infrastructure. The malware currently does not contain any destructive capabilities, but is an espionage and reconnaissance malware. The malware’s capabilities can easily be further expanded through its modular architecture. Its current capabilities include backdoor access, file exfiltration, keylogging, stealing credentials, and taking screenshots. During the initial attack stage, GreyEnergy utilizes a different malware called GreyEnergy mini otherwise known as FELIXROOT, which does not require admin privileges. GreyEnergy mini maps out the network and collects credentials for GreyEnergy to gain complete control of the network. This is completed with the use of Nmap and Mimikats. Other tools used include PsExec, SysInternals, and WinExe. These are used for lateral movement across the compromised network. The C&C servers will only communicate with specific machines on the network. According to researchers, “This modus operandi has been seen in Duqu and it is designed to hide the espionage activity, as the infected computers communicate with an internal server that relays the information to the C2, rather than an external system, which would be a red flag.” The C&C servers also act as Tor relays. Further investigation led to the discovery of a piece of malware with a digitally-signed certificate that is more than likely stolen from Advantech. Advantech is a Taiwanese company which makes industrial equipment and connected devices. The malware is believed to be connected to the Russian threat actor group SandWorm.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased