GreyEnergy

GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities with the BlackEnergy malware and is thought to be the successor of it.[1]

ID: S0342
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1116Code SigningGreyEnergy digitally signs the malware with a code-signing certificate.[1]
EnterpriseT1059Command-Line InterfaceGreyEnergy uses cmd.exe to execute itself in-memory.[1]
EnterpriseT1003Credential DumpingGreyEnergy has a module for Mimikatz to collect Windows credentials from the victim’s machine.[1]
EnterpriseT1107File DeletionGreyEnergy can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API.[1]
EnterpriseT1056Input CaptureGreyEnergy has a module to harvest pressed keystrokes.[1]
EnterpriseT1031Modify Existing ServiceGreyEnergy chooses a service, drops a DLL file, and writes it to that serviceDLL Registry key.[1]
EnterpriseT1112Modify RegistryGreyEnergy modifies conditions in the Registry and adds keys.[1]
EnterpriseT1188Multi-hop ProxyGreyEnergy has used Tor relays for Command and Control servers.[1]
EnterpriseT1027Obfuscated Files or InformationGreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings.[1]
EnterpriseT1055Process InjectionGreyEnergy has a module to inject a PE binary into a remote process.[1]
EnterpriseT1105Remote File CopyGreyEnergy can download additional modules and payloads.[1]
EnterpriseT1085Rundll32GreyEnergy uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\SYSTEM).[1]
EnterpriseT1045Software PackingGreyEnergy is packed for obfuscation.[1]
EnterpriseT1071Standard Application Layer ProtocolGreyEnergy uses HTTP and HTTPS for C2 communications.[1]
EnterpriseT1032Standard Cryptographic ProtocolGreyEnergy encrypts communications using AES256 and RSA-2048.[1]
EnterpriseT1007System Service DiscoveryGreyEnergy enumerates all Windows services.[1]

References