Cybersecurity research firm ESET claims it has uncovered details of the successor of the BlackEnergy APT group, whose main toolset was last seen in December 2015 when it caused outages in Ukraine’s electric grid. ESET reports it started detecting another malware around that time, dubbed “GreyEnergy,” which it says has been used against energy companies and other high-value targets in Ukraine and Poland for the past three years although it remained undocumented because its activies weren’t destructive in nature. Compared to BlackEnergy, GreyEnergy is a more modern toolkit with an even greater focus on stealth. One basic stealth technique – employed by both families – is to push only selected modules to selected targets, and only when needed. On top of that, some GreyEnergy modules are partially encrypted and some remain fileless – running only in memory – with the intention of hindering analysis and detection. To cover their tracks, typically, GreyEnergy’s operators securely wipe the malware components from the victims’ hard drives. ESET’s analysis includes additional comparisons of GreyEnergy to BlackEnergy and further details of the former malware’s tactics, techniques, and procedures. ESET.
H2Oex: In Person 1 day event/exercise. Thurs Dec 5th. Washington DC. Join us!