ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool GreyEnergy

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: GreyEnergy

NamesGreyEnergy
CategoryMalware
TypeICS malware, Backdoor, Downloader, Tunneling
Description(ESET) This malware requires administrator privileges, which must already have been obtained before this stage is reached. According to our research, the GreyEnergy actors deploy this backdoor mainly on two types of endpoints: servers with high uptime, and workstations used to control ICS environments.

To make communication with command and control (C&C) servers stealthier, the malicious actors may deploy additional software on internal servers in the compromised network, so each server would act as a proxy. Such a proxy C&C redirects requests from infected nodes inside the network to an external C&C server on the internet. This way, it might be less suspicious to a defender who notices that multiple computers are “talking” to an internal server, rather than to a remote server. This technique can be also used by attackers to control the malware in different segments of a compromised network. A similar technique using internal servers as C&C proxies was used by the Duqu 2.0 APT.

If an affected organization has public-facing web servers connected to an internal network, the attackers may deploy “backup” backdoors onto these servers. These backdoors are used to regain access to the network in the event that the main backdoors are detected and removed.
Information<https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf>
<https://www.eset.com/int/greyenergy-exposed/>
<https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/>
<https://securelist.com/greyenergys-overlap-with-zebrocy/89506/>
<https://github.com/NozomiNetworks/greyenergy-unpacker>
MITRE ATT&CK<https://attack.mitre.org/software/S0342/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.grey_energy>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:greyenergy>

Last change to this tool card: 13 June 2020

Download this tool card in JSON format

Previous: GreezeBackdoor
Next: Griffon

All groups using tool GreyEnergy

ChangedNameCountryObserved

APT groups

 TeleBotsRussia2015-Oct 2020 HOTX

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key