A new advanced threat actor is now on the public map of adversaries that target systems in the critical infrastructure sector. The name is GreyEnergy and it shows similarities with the BlackEnergy group.

The GreyEnergy malware has no destructive capabilities at the moment, and it seems focused on espionage and reconnaissance operations on industrial control system workstations running SCADA software and servers.

However, it has a modular architecture, which means that its capabilities can be further expanded.

The plugins observed by security researchers provide capabilities such as backdoor access, file exfiltration, grabbing screenshots, logging keystrokes, and stealing credentials.

Legitimate tools for nefarious purposes

Security researchers at ESET noticed that the initial attack stage uses a different piece of malware, they call 'GreyEnergy mini' - also known as FELIXROOT, which does not require administrator privileges.

Its task is to map the network and collect credentials that give the main malware the necessary permissions to take complete control of the network. The goal is achieved with Nmap and Mimikats, freely available tools designed for security research purposes.

Other legitimate tools used include SysInternals PsExec and WinExe, to perform lateral movement across a compromised network.

Links with BlackEnergy and TeleBots

ESET researchers have been tracking GreyEnergy since 2015, when they discovered it targeted an energy company in Poland. They consider it to be the successor of BlackEnergy and also found a connection with the TeleBots threat group, known for the NotPetya attack in 2017.

BlackEnergy threat actor is responsible for using the malware with the same name and KillDisk in the cyberattack that caused the December 2015 blackout in Ukraine.

“We have seen GreyEnergy involved in attacks at energy companies and other high-value targets in Ukraine and Poland over the past three years,” says Anton Cherepanov, a senior security researcher at ESET who led the research.

The link with Telebots, apart from both emerging around the same time, is GreyEnergy's use in 2016 of a piece of destructive malware the researchers call Moonraker Petya. As the name suggests, it is similar to NotPetya, albeit less advanced, which suggests a collaboration between GreyEnergy and TeleBots, or least an exchange of ideas and code.

Built for stealthy operations

Stealth seems to be among GreyEnergy's primary attributes as its command and control (C2) servers communicate only with specific machines on the compromised network, which act as proxies for the infected workstations.

This modus operandi has been seen in Duqu and it is designed to hide the espionage activity, as the infected computers communicate with an internal server that relays the information to the C2, rather than an external system, which would be a red flag. It is worth noting that the C2 servers act as Tor relays.

An interesting discovery ESET made was in one sample of the malware, which was digitally signed with a certificate, most likely stolen, from Advantech, a company in Taiwan that makes industrial equipment and connected devices.

"Since we discovered that exactly the same certificate was used to sign clean, non-malicious software from Advantech, we believe that this certificate was likely stolen. It is worth noting that the discovered sample does not have countersignatures, which means that the digital signature became invalid once the certificate’s validity period had expired," ESET notes in its report.

Malware can be persistent or not

GreyEnergy deploys its malware according to the type of machine it infiltrates. According to ESET's research, one method is to run the malware in the memory of the system. This approach is chosen with servers that have a high uptime, where reboots are rare.

The second type of systems targeted are those where the malware needs persistence because of higher reboot possibility. In this case, an existing service is selected and a new ServiceDLL registry key is added. This method may break the system, and to avoid this outcome the malware dropper needs to run a screening process in search of a service that meets a set of requirements.

Researchers say that GreyEnergy's purpose is to infiltrate deep into the target's network and collect information. Unlike TeleBots, it is not in the sabotage business, but this does not exclude the possibility of destructive capabilities to become available at one point.

What is certain, though, is that "that the threat actors responsible for GreyEnergy are extremely dangerous in their persistence and stealth," the researchers conclude.