GreyEnergy
GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities with the BlackEnergy malware and is thought to be the successor of it.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1090 | .003 | 代理: Multi-hop Proxy |
GreyEnergy has used Tor relays for Command and Control servers.[1] |
| Enterprise | T1112 | 修改注册表 |
GreyEnergy modifies conditions in the Registry and adds keys.[1] |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
GreyEnergy chooses a service, drops a DLL file, and writes it to that serviceDLL Registry key.[1] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
GreyEnergy encrypts communications using AES256.[1] |
| .002 | 加密通道: Asymmetric Cryptography |
GreyEnergy encrypts communications using RSA-2048.[1] |
||
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
GreyEnergy uses cmd.exe to execute itself in-memory.[1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
GreyEnergy uses HTTP and HTTPS for C2 communications.[1] |
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
GreyEnergy has a module for Mimikatz to collect Windows credentials from the victim’s machine.[1] |
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing |
GreyEnergy is packed for obfuscation.[1] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
GreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings.[1] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
GreyEnergy can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API.[1] |
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
GreyEnergy uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\SYSTEM).[1] |
| Enterprise | T1007 | 系统服务发现 |
GreyEnergy enumerates all Windows services.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
GreyEnergy can download additional modules and payloads.[1] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
GreyEnergy has a module to harvest pressed keystrokes.[1] |
| Enterprise | T1055 | .002 | 进程注入: Portable Executable Injection |
GreyEnergy has a module to inject a PE binary into a remote process.[1] |
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
GreyEnergy digitally signs the malware with a code-signing certificate.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team |