GREYENERGY WeLiveSecurity

Greyenergy Welivesecurity-Free PDF

  • Date:07 Jun 2020
  • Views:33
  • Downloads:0
  • Pages:31
  • Size:7.54 MB

Share Pdf : Greyenergy Welivesecurity

Download and Preview : Greyenergy Welivesecurity


Report CopyRight/DMCA Form For : Greyenergy Welivesecurity


Transcription:

1 GreyEnergy A successor to BlackEnergy TLP WHITE,INTRODUCTION 2. GREYENERGY MODUS OPERANDI 3,GREYENERGY MINI 4,GREYENERGY MALWARE 7. In memory only mode 8,Service DLL persistence 8,Configuration and communication 11. GreyEnergy modules 14,Anti reversing and anti forensics techniques 15. WEB SERVER BACKDOORS 17,PROXY C C AKA TRIUNGULIN 18.
INTERNET FACING C C SERVERS 20,GREYENERGY AND BLACKENERGY COMPARISON 21. MOONRAKER PETYA 21,CONCLUSION 24,ESET Detection names 25. GreyEnergy document 25,GreyEnergy mini 26,GreyEnergy droppers 26. GreyEnergy dropped DLLs 26,GreyEnergy in memory only DLLs 27. Moonraker Petya 27,PHP and ASP scripts 27,Custom port scanner 28.
Mimikatz 28,GreyEnergy mini C C addresses 28,GreyEnergy C C addresses 29. 2 GreyEnergy A successor to BlackEnergy TLP WHITE, ESET researchers have discovered and analyzed advanced malware previously undocumented that. has been used in targeted attacks against critical infrastructure organizations in Central and Eastern. Europe The malware named GreyEnergy by ESET researchers exhibits many conceptual similarities with. BlackEnergy the malware used in attacks against the Ukrainian energy industry in December 2015 Besides. these similarities there are links that suggest that the group behind GreyEnergy has been working. together with the TeleBots group known in connection with many destructive attacks. This report reveals the activities of the GreyEnergy group over the past few years. INTRODUCTION, In December 2015 the BlackEnergy group mounted an attack against the Ukrainian energy industry. using the BlackEnergy and KillDisk malware families That was the last known use of the BlackEnergy. malware in the wild Following this attack the BlackEnergy group evolved into at least two subgroups. TeleBots and GreyEnergy, The main goal of the TeleBots group is to perform cybersabotage attacks on Ukraine which are. achieved through computer network attack CNA operations The group performed a number of such. disruptive attacks including, A series of attacks in December 2016 using an updated version of the KillDisk malware designed for.
Windows and Linux OSes, The notorious NotPetya attack of June 2017 performed using a sophisticated backdoor that was. embedded into the Ukrainian accounting software M E Doc. The attack using the BadRabbit family in October 2017. ESET researchers have been tracking the activities of the GreyEnergy group for several years The group. is using a unique family of malware that we detect as GreyEnergy The design and architecture of the. malware are very similar to those of the BlackEnergy malware. Besides the conceptual similarities in the malware itself there are links that suggest that the group. behind the GreyEnergy malware has been working closely with the TeleBots group Specifically the. GreyEnergy group deployed a NotPetya like worm in December 2016 and a more advanced version of. this malware was used later by the TeleBots group in the notorious June 2017 attack. We should say the GreyEnergy group has different goals than the TeleBots group this group is mostly. interested in industrial networks belonging to various critical infrastructure organizations and unlike. TeleBots the GreyEnergy group is not limited to Ukrainian targets. In late 2015 we first spotted the GreyEnergy malware targeting an energy company in Poland Still as. with BlackEnergy and TeleBots the group s main focus has been on Ukraine They have primarily shown. interest in the energy sector followed by transportation and other high value targets At least one. organization that had previously been targeted by BlackEnergy has more recently been under attack by. GreyEnergy The most recently observed use of the GreyEnergy malware was in mid 2018. The GreyEnergy malware is modular but unlike Industroyer we have not seen GreyEnergy incorporate. any module capable of affecting industrial control systems ICS However the operators of this. malware have on at least one occasion deployed a disk wiping component to disrupt operating. processes in the affected organization and to cover their tracks. One of the most intriguing details discovered during our research is that one of the GreyEnergy samples. we found was signed with a valid digital certificate that had likely been stolen from a Taiwanese. company that produces ICS equipment In this respect the GreyEnergy group has literally followed in. Stuxnet s footsteps,3 GreyEnergy A successor to BlackEnergy TLP WHITE. GREYENERGY MODUS OPERANDI, During our tracking of the GreyEnergy group s activity we have mostly seen the attackers use two. initial infection vectors The first one is relevant for organizations with self hosted web services If such. a public facing web service is running on a server that is connected to an internal network attackers. will try to compromise it and then sneak inside the network The second infection vector is the use of. spearphishing emails with malicious attachments, We have observed that malicious documents have been dropping GreyEnergy mini a lightweight. first stage backdoor that does not require administrative privileges After compromising a computer. with GreyEnergy mini attackers map the network and collect passwords in order to obtain domain. administrator privileges With these privileges the attackers can control the whole network The. GreyEnergy group uses fairly standard tools for these tasks Nmap and Mimikatz. Once attackers are done with the initial network mapping they can deploy their flagship backdoor. the main GreyEnergy malware This malware requires administrator privileges which must already have. been obtained before this stage is reached According to our research the GreyEnergy actors deploy this. backdoor mainly on two types of endpoints servers with high uptime and workstations used to control. ICS environments, To make communication with command and control C C servers stealthier the malicious actors may.
deploy additional software on internal servers in the compromised network so each server would act. as a proxy Such a proxy C C redirects requests from infected nodes inside the network to an external. C C server on the internet This way it might be less suspicious to a defender who notices that multiple. computers are talking to an internal server rather than to a remote server This technique can be also. used by attackers to control the malware in different segments of a compromised network A similar. technique using internal servers as C C proxies was used by the Duqu 2 0 APT. If an affected organization has public facing web servers connected to an internal network the. attackers may deploy backup backdoors onto these servers These backdoors are used to regain access. to the network in the event that the main backdoors are detected and removed. All C C servers we have seen used by the GreyEnergy malware have been Tor relays. Figure 1 Simplified scheme of the two network compromise scenarios used by the GreyEnergy group. 4 GreyEnergy A successor to BlackEnergy TLP WHITE,GREYENERGY MINI. GreyEnergy mini is a lightweight first stage backdoor that is used by attackers in order to evaluate a. compromised computer and gain an initial foothold in the network Usually GreyEnergy mini malware is. downloaded by a malicious document that was delivered using spearphishing email GreyEnergy mini is. also known as FELIXROOT, In September 2017 ESET detected a Microsoft Word decoy document in the Ukrainian language carrying. a malicious macro The decoy document was designed to look like an interactive form prompting the. victim to enable macros in order to fill it in, Figure 2 Decoy document used by GreyEnergy group in September 2017. Once the macro is enabled its code attempts to download and execute a binary from a remote server. Figure 3 Malicious VBA macro comments added by ESET. 5 GreyEnergy A successor to BlackEnergy TLP WHITE, Interestingly that document has embedded in its body a link that points to a remote picture Once the. document is opened it makes an attempt to download that picture Therefore attackers are notified. when the document is opened This technique allows tracking a success ratio between targets who. enabled the malicious macro versus those who just opened the document without enabling macros. Figure 4 A link to an external tracker image in the malicious document. The downloaded executable is a GreyEnergy mini dropper The dropper writes a malicious DLL in the. APPDATA folder using a randomly generated GUID as its name In addition the dropper creates a. LNK file using a blank filename in the Startup folder in the Start Menu with an entry that executes. rundll32 exe with the path to the DLL as a command line argument This is the persistence method. used by GreyEnergy mini, This dropped DLL is the main module of GreyEnergy mini it is disguised as a legitimate file that belongs.
to Microsoft Windows, Figure 5 The GreyEnergy mini DLL disguised as a legitimate Windows DLL. In order to assess the value of a compromised computer the malware collects as much information as. possible and sends the collected data to the C C The information collection is performed using WMI. Query Language WQL and queries to the Windows registry The following information is collected. Computer name, Operating system version including service pack version. Default locale, Current Windows user privileges elevation UAC level. Proxy settings, Information about computer manufacturer model system type. Installed security software antivirus and firewall. 6 GreyEnergy A successor to BlackEnergy TLP WHITE,List of users and domains.
List of installed software obtained from registry, Information about network IP addresses DHCP Server etc. List of running processes, The malware receives commands from a C C server The following commands are supported. Command ID Meaning,1 Collect information about computer. 2 Download and run executable file from temporary directory. 3 Run shell command,4 Uninstall itself from compromised computer. 5 Download and run BAT file from temporary directory. 6 Download file to local drive,7 Upload file, The configuration of the malware is embedded in JSON format inside the binary and is encoded with.
a custom algorithm The encrypted data contains four bytes at the beginning these bytes are used as. the key for an XOR operation to decrypt the rest of the data Most strings used by the malware are. encrypted using this algorithm, Figure 6 The embedded configuration of GreyEnergy mini malware before and after decryption. All GreyEnergy mini configurations we have seen contain HTTPS and HTTP servers used as C Cs This. allows attackers to switch to HTTP on targets where HTTPS is not allowed by network or firewall. configurations, The GreyEnergy mini malware shares code similarities with other GreyEnergy malware In addition to. that both GreyEnergy mini and the main GreyEnergy backdoor shared exactly the same C C servers. 7 GreyEnergy A successor to BlackEnergy TLP WHITE,GREYENERGY MALWARE. The GreyEnergy malware is the flagship backdoor of the GreyEnergy group The malware samples. analyzed here are written in C and compiled using Visual Studio but without using the standard C. run time libraries CRT functions Packed samples may contain a forged PE timestamp but once the. samples are unpacked the PE timestamp is zero representing 1 January 1970. Figure 7 The PE timestamp of an unpacked GreyEnergy sample. Interestingly one of the first GreyEnergy malware samples analyzed was digitally signed with a code. signing certificate belonging to a company named Advantech Advantech is a Taiwanese company that. produces industrial equipment and IoT hardware Since we discovered that exactly the same certificate. was used to sign clean non malicious software from Advantech we believe that this certificate was. likely stolen It is worth noting that the discovered sample does not have countersignatures which. means that the digital signature became invalid once the certificate s validity period had expired. Figure 8 Advantech code signing certificate used to sign a GreyEnergy malware sample. 8 GreyEnergy A successor to BlackEnergy TLP WHITE,The certificate data are as follows. Serial Number 15 f4 8f 98 c5 79 41 00 6f 4c 9a 63 9b f3 c1 cc. Not Before Feb 10 00 00 00 2014 GMT,Not After Feb 26 23 59 59 2017 GMT.
SHA1 Fingerprint 97 53 AD 54 DF 6B D6 73 E0 6C 00 36 3D 34 6A 06 00 7A 0A 9B. We observed that the GreyEnergy malware is usually deployed in two modes in memory only mode. and using Service DLL persistence The former mode is used when attackers are confident that malware. deployment does not require any persistence at all e g servers with high uptime the latter mode is. used when the malware needs to be able to survive any possible reboot. In memory only mode, For the in memory only mode attackers put a DLL file in a specific folder and then execute it using the. Windows application rundll32 exe We have seen that the attackers are using Windows Sysinternals. PsExec tool locally in order to execute rundll32 exe under the highest possible privileges NT. AUTHORITY SYSTEM, Here is an actual command line used in the initial stage of GreyEnergy s in memory only execution. cmd exe c C Windows System32 rundll32 exe C Sun Thumbs db 1. CAIAABBmAAAgAAAA8GFGvkHVGDtGRqcl3Z3nYJ9aXCm7TVZX8klEdjacOSU. INTERNET FACING C amp C SERVERS 20 GREYENERGY AND BLACKENERGY COMPARISON 21 MOONRAKER PETYA 21 CONCLUSION 24 IOCS 25 ESET Detection names 25 GreyEnergy document 25 GreyEnergy mini 26 GreyEnergy

Related Books