Incident Response, Malware, TDR

GreyEnergy threat group linked to Zebrocy

Kaspersky researchers have discovered overlap between the GreyEnergy threat group, considered the successor to  BlackEnergy, and the Sofacy subset Zebrocy.

Researchers described GreyEnergy and BlackEnergy as an advanced threat group that possesses extensive knowledge on penetrating their victim´s networks and exploiting any available vulnerabilities. The threat actor is also known for updating its tools and infrastructure to avoid detection, tracking and attribution.

Most recently, the GreyEnergy malware was spotted attacking industrial and ICS targets, mainly in Ukraine, while Zebrocy has mainly targeted government agencies widely spread across the Middle East, Europe and Asia, according to a Jan. 24 blog post.

Zebrocy samples were found to use the same C2 servers that were also used in a spearphishing email attachment sent by GreyEnergy. Both threat groups also used another server in a spearphishing  GreyEnergy document which exploited the CVE-2017-11882 vulnerability and both GreyEnergy and Zebrocy spearphishing documents targeted a number of industrial companies in Kazakhstan.

“A spearphishing document entitled ‘Seminar.rtf’, which retrieved a GreyEnergy sample, was sent to the company approximately on June 21, 2018, followed by a Zebrocy spearphishing document sent approximately on June 28,” researchers said in the report. “The two C2 servers discussed above were actively used by Zebrocy and GreyEnergy almost at the same time.”

While researchers said there currently is no evidence of origins of GreyEnergy, links between a Zebrocy and GreyEnergy suggest that these groups are related.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.