GreyEnergy, an APT discovered last year by ESET, has now been cracked to reveal its complex functionalities. Alessandro Di Pinto, a security researcher at Nozomi Networks, studied the malware in detail and uncovered advanced techniques employed by GreyEnergy.
In his research paper, Di Pinto delves into the ‘packer’ component downloaded from the spam email. This packer used a slew of anti-analysis techniques to evade detection in computers.
Playing hard to analyze
Anti-analysis techniques used by the malware included JMP instructions which function as overlapping instructions. In addition, junk code was used to confuse anyone analyzing the packer. Di Pinto relied on a dynamic analysis approach to discover GreyEnergy’s anti-analysis techniques. The researcher found out that the malware was using custom algorithms to hide malicious components.
“Once complete, my analysis showed that the GreyEnergy packer is robust and capable of significantly slowing down the reverse engineering process. The techniques used are not new, but both the tools and the tactics employed were cleverly selected. The threat actors’ broad use of anti-forensic techniques underlines their attempt to be stealthy and ensure that the infection would go unnoticed,” wrote Di Pinto in his blog.
In 2015, GreyEnergy targeted an energy company in Poland, following which its activity was sporadic. Its core targets have been the energy and transportation sectors across Europe. Moreover, it is believed to be a successor of the infamous BlackEnergy group which wreaked havoc on the Ukrainian energy industry in late 2015.
Unlike other APTs, GreyEnergy has not affected industrial control systems (ICS) which would have impacted industries significantly, on a global level.