Kaspersky researchers have discovered overlap between the GreyEnergy threat group, considered the successor to BlackEnergy, and the Sofacy subset Zebrocy.
Researchers described GreyEnergy and BlackEnergy as an advanced threat group that possesses extensive knowledge on penetrating their victim´s networks and exploiting any available vulnerabilities. The threat actor is also known for updating its tools and infrastructure to avoid detection, tracking and attribution.
Most recently, the GreyEnergy malware was spotted attacking industrial and ICS targets, mainly in Ukraine, while Zebrocy has mainly targeted government agencies widely spread across the Middle East, Europe and Asia, according to a Jan. 24 blog post.
Zebrocy samples were found to use the same C2 servers that were also used in a spearphishing email attachment sent by GreyEnergy. Both threat groups also used another server in a spearphishing GreyEnergy document which exploited the CVE-2017-11882 vulnerability and both GreyEnergy and Zebrocy spearphishing documents targeted a number of industrial companies in Kazakhstan.
“A spearphishing document entitled ‘Seminar.rtf’, which retrieved a GreyEnergy sample, was sent to the company approximately on June 21, 2018, followed by a Zebrocy spearphishing document sent approximately on June 28,” researchers said in the report. “The two C2 servers discussed above were actively used by Zebrocy and GreyEnergy almost at the same time.”
While researchers said there currently is no evidence of origins of GreyEnergy, links between a Zebrocy and GreyEnergy suggest that these groups are related.
