‘GreyEnergy’ Cyberspies Target Ukraine, Poland

Over the past three years, ESET security researchers have been tracking a cyber-espionage group linked to the infamous BlackEnergy hackers.

BlackEnergy has been around since at least 2007, but rose to prominence in December 2015 when it caused a major blackout. The newly documented group, which ESET refers to as GreyEnergy, emerged around the same time.

Another group that emerged around the same time is TeleBots, which is said to have orchestrated the massive NotPetya outbreak last year. Recently, the security researchers managed to link the group to Industroyer, which is considered the most powerful modern malware targeting industrial control systems (ICS).

According to an ESET report published on Wednesday (PDF), the BlackEnergy threat actor evolved into two separate groups, namely TeleBots and GreyEnergy. The former is focused on launching cybersabotage attacks on Ukraine, through computer network attack (CNA) operations.

Over the past three years, GreyEnergy was observed being involved in attacks targeting entities in Ukraine and Poland, but mainly focused on cyber-espionage and reconnaissance. The group’s operations have been aimed at energy sector, transportation, and other high-value targets.

The GreyEnergy malware features a modular architecture, meaning that its capabilities are dependent on the modules the operator chooses to deploy. These modules, however, include backdoor, file extraction, screenshot capturing, keylogging, password and credential stealing, and other functionality.

“We have not observed any modules that specifically target Industrial Control Systems software or devices. We have, however, observed that GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers,” Anton Cherepanov, a senior security researcher at ESET, reveals.

None of the malware’s modules, ESET says, is capable of affecting ICS, but its operators did use, on at least one occasion, a disk-wiping component to disrupt operating processes. One of the GreyEnergy samples was using a valid digital certificate likely stolen from Taiwanese company Advantech.

The actor is targeting organizations either through compromised self-hosted web services or via spear-phishing emails with malicious attachments.

The attackers would also deploy additional backdoors to the compromised web servers that are accessible from the Internet. The hackers favor PHP backdoors and use several layers of obfuscation and encryption to hide the malicious code.

The attachments of spear-phishing emails would first drop a lightweight first-stage backdoor dubbed GreyEnergy mini (and also known as FELIXROOT) to map the network and collect admin credentials using tools such as Nmap and Mimikatz.

The collected credentials are then used to deploy the main GreyEnergy malware, which requires administrator privileges. The backdoor is deployed on servers with high uptime and workstations used to control ICS environments. Additional software (proxies deployed on internal servers) is used to communicate with the command and control (C&C) server as stealthily as possible.

Written in C and compiled using Visual Studio, the GreyEnergy malware is usually deployed in two modes: in-memory-only mode, when no persistence is required, and using Service DLL persistence, to survive system reboots. The functionality of the malware is the same in both cases.

The GreyEnergy modules researchers have observed to date are meant to inject a PE binary into a remote process; collect information about the system and event logs; perform file system operations; grab screenshots; harvest key strokes; collect saved passwords from various applications; use Mimikatz to steal Windows credentials; use Plink to create SSH tunnels; and use 3proxy to create proxies.

The malware leverages Tor relay software when active, with the C&C infrastructure setup similar to that of BlackEnergy, TeleBots, and Industroyer. Furthermore, GreyEnergy and BlackEnergy have a similar design and a similar set of modules and features, although they are implemented differently.

Furthermore, ESET researchers discovered a worm that appears to be the predecessor of NotPetya, and which they call Moonraker Petya. The malware, which contains code that makes the computer unbootable, was deployed against a small number of organizations and has limited spreading capabilities.

Moonraker Petya shows a cooperation between TeleBots and GreyEnergy, or at least reveals they are sharing some ideas and code. The main difference between the two is that TeleBots focuses solely on Ukraine, while GreyEnergy operates outside the country’s borders as well.

“GreyEnergy is an important part of the arsenal of one of the most dangerous APT groups that has been terrorizing Ukraine for the past several years. We consider it to be the successor of the BlackEnergy toolkit. The main reasons for this conclusion are the similar malware design, specific choice of targeted victims, and modus operandi,” ESET concludes.

Related: Exaramel Malware Reinforces Link Between Industroyer and NotPetya