Register to stream ATT&CKcon 2.0 October 29-30


GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities with the BlackEnergy malware and is thought to be the successor of it.[1]

ID: S0342
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing GreyEnergy digitally signs the malware with a code-signing certificate. [1]
Enterprise T1059 Command-Line Interface GreyEnergy uses cmd.exe to execute itself in-memory. [1]
Enterprise T1003 Credential Dumping GreyEnergy has a module for Mimikatz to collect Windows credentials from the victim’s machine. [1]
Enterprise T1107 File Deletion GreyEnergy can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API. [1]
Enterprise T1056 Input Capture GreyEnergy has a module to harvest pressed keystrokes. [1]
Enterprise T1031 Modify Existing Service GreyEnergy chooses a service, drops a DLL file, and writes it to that serviceDLL Registry key. [1]
Enterprise T1112 Modify Registry GreyEnergy modifies conditions in the Registry and adds keys. [1]
Enterprise T1188 Multi-hop Proxy GreyEnergy has used Tor relays for Command and Control servers. [1]
Enterprise T1027 Obfuscated Files or Information GreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings. [1]
Enterprise T1055 Process Injection GreyEnergy has a module to inject a PE binary into a remote process. [1]
Enterprise T1105 Remote File Copy GreyEnergy can download additional modules and payloads. [1]
Enterprise T1085 Rundll32 GreyEnergy uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\SYSTEM). [1]
Enterprise T1045 Software Packing GreyEnergy is packed for obfuscation. [1]
Enterprise T1071 Standard Application Layer Protocol GreyEnergy uses HTTP and HTTPS for C2 communications. [1]
Enterprise T1032 Standard Cryptographic Protocol GreyEnergy encrypts communications using AES256 and RSA-2048. [1]
Enterprise T1007 System Service Discovery GreyEnergy enumerates all Windows services. [1]