Phishing Used to Launch GreyEnergy's ICS Attacks

Written by

The advanced persistent threat (APT) group GreyEnergy has been targeting industrial networks across Ukraine and Eastern Europe for years, and according to analysis of the group’s activity, the attacks begin with a malicious document sent in a phishing email.

Nozomi Networks performed analysis on the GreyEnergy advanced ICS malware and found that the tools and tactics used by the threat actors allowed the group to stay under the radar of typical anomaly detection tools for a long time.

Found in Ukraine and Poland, the GreyEnergy ICS malware successfully infected its targets using a phishing email that included a suspicious looking – and indeed malicious – word document written in Ukranian, according to Alessandro Di Pinto, security researcher at Nozomi Networks. While there is a security warning at the top of the page, within the security warning is a box asking the user to "enable content" – a clear attempt to trick the user.

The message also encourages viewers to fill in the fake interactive form included within the email. While the phishing email is common, “The malware’s code is anything but common – it is well written and smartly put together and is designed to defeat detection by cybersecurity products,” Di Pinto wrote.

In analyzing how the document works, Di Pinto found that once opened, it tries to load a remote image, which happens before the viewer enables the macros. The malicious code is easily decompressed and extracted using the oledump tool, according to Di Pinto.

“Having completed my analysis, it’s evident that the GreyEnergy packer does a great job of slowing down the reverse engineering process. The techniques used are not new, but both the tools and the tactics employed were wisely selected,” Di Pinto wrote.

“For example, the threat actor chose to implement custom algorithms that are not too difficult to defeat, but they are hard enough to protect the malicious payload. Additionally, the broad use of anti-forensic techniques, such as the wiping of in-memory strings, underline the attacker’s attempt to stay stealthy and have the infection go unnoticed."

What’s Hot on Infosecurity Magazine?