Skip to content

S0342 GreyEnergy

GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities with the BlackEnergy malware and is thought to be the successor of it.1

Item Value
ID S0342
Associated Names
Version 1.1
Created 30 January 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols GreyEnergy uses HTTP and HTTPS for C2 communications.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell GreyEnergy uses cmd.exe to execute itself in-memory.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service GreyEnergy chooses a service, drops a DLL file, and writes it to that serviceDLL Registry key.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography GreyEnergy encrypts communications using AES256.1
enterprise T1573.002 Asymmetric Cryptography GreyEnergy encrypts communications using RSA-2048.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion GreyEnergy can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API.1
enterprise T1105 Ingress Tool Transfer GreyEnergy can download additional modules and payloads.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging GreyEnergy has a module to harvest pressed keystrokes.1
enterprise T1112 Modify Registry GreyEnergy modifies conditions in the Registry and adds keys.1
enterprise T1027 Obfuscated Files or Information GreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings.1
enterprise T1027.002 Software Packing GreyEnergy is packed for obfuscation.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory GreyEnergy has a module for Mimikatz to collect Windows credentials from the victim’s machine.1
enterprise T1055 Process Injection -
enterprise T1055.002 Portable Executable Injection GreyEnergy has a module to inject a PE binary into a remote process.1
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy GreyEnergy has used Tor relays for Command and Control servers.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing GreyEnergy digitally signs the malware with a code-signing certificate.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 GreyEnergy uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\SYSTEM).1
enterprise T1007 System Service Discovery GreyEnergy enumerates all Windows services.1

Groups That Use This Software

ID Name References
G0034 Sandworm Team 2