Home Malware Programs Malware GreyEnergy

GreyEnergy

Posted: October 9, 2019

GreyEnergy is a threat actor that uses various tools, including ones typically associated with BlackEnergy and TeleBots, for intelligence-gathering purposes. Unlike either group, GreyEnergy uses more traditional infection methods and stealth-based techniques for hiding their activities from victims. Users should let anti-malware products remove GreyEnergy spyware, Trojans, and other threats while re-securing their network credentials as quickly as possible.

The Shy Side of Trojan Operations

Although TeleBots is, by far, the most-visible successor to the mantle of BlackEnergy and its energy sector-sabotaging attacks, there also is evidence of another partner in that title. If TeleBots and BlackEnergy can be closed fists, GreyEnergy might be a velvet glove – a threat actor that's using many of the same tools and techniques but applying them with a more delicate touch. Unfortunately, that initiating contact is no less threatening, as GreyEnergy is in the business of espionage and data theft.

Targets of GreyEnergy's campaigns are typical for this umbrella-group of threat actors, including Ukraine and, secondarily, Poland. Like them, GreyEnergy favors using a two-stage set of backdoors – a narrower one before the more-invasive Trojan – and TOR for C&C server infrastructure. However, probably the most critical element linking GreyEnergy to the prior attacks, and their resources, is an early build of NotPetya or Netya – a file-locker Trojan and worm. GreyEnergy's version was before the addition of the NSA's EternalBlue exploit, but, otherwise, contained unmistakable similarities to Netya.

On the other hand, users anticipating those criminal organizations' infection strategies will find themselves looking in the wrong places. GreyEnergy uses more traditional options, such as sending phishing e-mail messages to their targets and convincing them to open an attachment or clicking a link. The attackers also spread throughout vulnerable networks and will re-infect disinfected systems as necessary.

Unlike TeleBots and BlackEnergy, GreyEnergy doesn't use its tools for high-visibility attacks like blocking files or displaying images or ransom demands. Philosophically, their approach is the direct opposite, even as they use the same toolsets.

Keep Your Network from Going Grey

Although GreyEnergy's campaigns offer less explosive results than shutting down power grids, they can result in a total compromise of enterprise-level networks for various targets. Significantly, although malware experts find no samples of GreyEnergy's Trojan software being specific to industrial control systems (ICS), they have undertaken operations in sectors using that hardware. The purpose of GreyEnergy's espionage is uncertain but could be for passing intelligence off to another group – such as TeleBots – selling it on the black market, and other, equally undesirable outcomes.

Network administrators, naturally, should monitor firewall settings, turn off RDP when possible, and maintain other practices that are well-suited for mitigating intrusions. All workers can learn spotting techniques versus phishing lures, which will, generally, use content that references information that's close to the target's industry, or even the recipient. E-mail attachments should undergo full anti-malware scans by appropriate services.

Anti-malware vendors should combat most versions of threats that GreyEnergy employs. Updated system-scanning utilities will uninstall GreyEnergy's backdoor Trojans, Mimikatz variants, and other tools automatically upon detection.

GreyEnergy is a quieter side of anti-Ukrainian sabotage that prefers quietly erecting tunnels for passing information, instead of a 'smash and grab' approach. Such decisions are part of why these criminals have gone with less examination from security researchers, who may chase after more high-profile hackers.

Loading...