S0342 GreyEnergy
GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities with the BlackEnergy malware and is thought to be the successor of it.1
| Item | Value |
|---|---|
| ID | S0342 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 30 January 2019 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | GreyEnergy uses HTTP and HTTPS for C2 communications.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | GreyEnergy uses cmd.exe to execute itself in-memory.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | GreyEnergy chooses a service, drops a DLL file, and writes it to that serviceDLL Registry key.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | GreyEnergy encrypts communications using AES256.1 |
| enterprise | T1573.002 | Asymmetric Cryptography | GreyEnergy encrypts communications using RSA-2048.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | GreyEnergy can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API.1 |
| enterprise | T1105 | Ingress Tool Transfer | GreyEnergy can download additional modules and payloads.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | GreyEnergy has a module to harvest pressed keystrokes.1 |
| enterprise | T1112 | Modify Registry | GreyEnergy modifies conditions in the Registry and adds keys.1 |
| enterprise | T1027 | Obfuscated Files or Information | GreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings.1 |
| enterprise | T1027.002 | Software Packing | GreyEnergy is packed for obfuscation.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | GreyEnergy has a module for Mimikatz to collect Windows credentials from the victim’s machine.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.002 | Portable Executable Injection | GreyEnergy has a module to inject a PE binary into a remote process.1 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.003 | Multi-hop Proxy | GreyEnergy has used Tor relays for Command and Control servers.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | GreyEnergy digitally signs the malware with a code-signing certificate.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | GreyEnergy uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\SYSTEM).1 |
| enterprise | T1007 | System Service Discovery | GreyEnergy enumerates all Windows services.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team | 2 |