Posts: 14,704
Threads: 9,636
Thanks Received: 9,085 in 7,235 posts
Thanks Given: 9,886
Joined: 12 September 18
25 January 19, 09:14
(This post was last modified: 25 January 19, 11:50 by harlan4096.)
![[Image: 190123-GreyEnergy_overlap-2.png]](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/01/23125807/190123-GreyEnergy_overlap-2.png)
Quote:In October 2018, ESET published a report describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.
Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and a Sofacy subset called “Zebrocy”. The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of attacks on its victims. Zebrocy’s targets are widely spread across the Middle East, Europe and Asia and the targets’ profiles are mostly government-related.
Both sets of activity used the same servers at the same time and targeted the same organization.
Details
Servers
In our private APT Intel report from July 2018 “Zebrocy implements new VBA anti-sandboxing tricks”, details were provided about different Zebrocy C2 servers, including 193.23.181[.]151.
In the course of our research, the following Zebrocy samples were found to use the same server to download additional components (MD5):
7f20f7fbce9deee893dbce1a1b62827d
170d2721b91482e5cabf3d2fec091151
eae0b8997c82ebd93e999d4ce14dedf5
a5cbf5a131e84cd2c0a11fca5ddaa50a
c9e1b0628ac62e5cb01bf1fa30ac8317
Full reading:
https://securelist.com/greyenergys-overl...ocy/89506/
![[-]](https://www.geeks.fyi/images/collapse.png)
