GreyEnergy Malware
Researchers at Cybaze-Yoroi ZLAB have published details on a GreyEnergy malware implant, also dubbed as “FELIXROOT”. The GreyEnergy malware is part of the BlackEnergy / Sandworm APT group’s cyber arsenal, who was responsible for the Ukraine power grid cyber incident back in 2015. The malware spreads via perimeter breaches, and spear-phishing emails with malicious attachments. The malware’s architecture is modular and capable of attaining new modules from its C2 servers.
Analysis revealed the use of evasion techniques, such as long sleep time-periods. Once the malware comes live, it contacts the C2 server and exfiltrates the details (i.e., computer name, user name, volume serial number, Windows version, processor architecture, and others) of a compromised system, transmitting via HTTP POST requests, protected with SSL encryption. For technical details, review Cybaze-Yoroi’s article in its entirety linked below.
The remote destination is 217.12.204.100 this is owned by an Ukrainian contractor and manufacturer company.
Indicators of Compromise
Filename / Description
module.1620.3e25bb98.58d10000.dll / FELIXROOT 2019
SHA-256
- 1bb78a73f28617bf8209dae0be4ced07dcd44420b541d7147a0f978237f9b3e2
IP
- 217.12.204.100
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.