GreyEnergy – ESET finds latest Malware threat

ESET

ESET, a computer security firm in the Slovak Republic, has uncovered a new secret malware infection. It has dubbed this GreyEnergy, after the December 2015 BlackEnergy attacks in Eastern Europe.

Like BlackEnergy, Industroyer and Telebots, the malefactors seem to have focused GreyEnergy on energy and transportation infrastructure in Eastern Europe. That includes Poland, but mostly Ukraine. ESET declined to offer an opinion on the source of GreyEnergy, but I suppose we can draw our own conclusions, given the targeting.

ESET chose the name GreyEnergy because of its surreptitious nature. BlackEnergy, by contrast, was a boots-and-all attack, closing down some Ukrainian energy infrastructure for several hours, affecting hundreds of thousands of people. GreyEnergy is a stealth attack, with the malware being infiltrated into Command and Control servers using TOR relays.

ESET
ESET’s monitoring headquarters; TOP: ESET’s mascot robot

TOR is The Onion Router, the secret system used by those seeking anonymity on the Internet, for both good reasons and ill.

GreyEnergy’s only destructive action so far appears to have been the display of the Moonraker logo used by the earlier Petya malware. It has used stolen security certificates to sneak in its modules. The GreyEnergy developers stole the certificates from Advantech, an industrial manufacturer based in Taiwan. I suppose you get your illicit certificates wherever you can find them.

GreyEnergy is remarkably clever, in a theme ESET repeatedly emphasised at its briefing. Once GreyEnergy had made its way in, it would infect connected computers. Then the computers would add a re-infection agent to the servers to make sure they were again infected, were they to be cleaned.

Will GreyEnergy attack your computer?

Does any of this matter to you? So what if far-away bad guys are trying sneaky attacks on far-away big companies?

Well, there are several ways that could affect us. First, State actors could try these kinds of surreptitious attacks Australian infrastructure. Second, the software is getting smarter, with modern expert technology being built into them, making them more dangerous. Third, the ideas and techniques used in any malware tend to spread to others making malware for their own purposes.

A technique developed to close down a Ukrainian power plant could end up being used to insert ransomware into your computer. In any case, the borders between industrial malware and smaller-scale criminal attacks are blurry. ESET says that the Telebots malware was principally a “kill disk” attack, disguised as ransomware. Those who believed its demands would have paid 222 Bitcoin (worth about $US1.4 million at today’s Bitcoin rates) and gotten back precisely nothing.

ESET

Have you heard of ESET? Long-time gadgetguy.com.au readers will have. Seen here for example.

In Australia, one tends to think of other names when it comes to anti-virus software. But ESET has been in the business since 1987. That was when the Slovak Republic was still part of Czechoslovakia, and still under Soviet domination. It was incorporated in 1992 when such things became legal after the fall of the iron curtain. It remains a privately held company.

Since then ESET has grown to global proportions, with research and development centres from San Diego to Buenos Aires to Singapore, although its main research facility remains in Bratislava, capital of the Slovak Republic.

It now has 1,600 employees and a hundred million knowing customers. By “knowing”, I mean people and businesses who have installed ESET security packages on their computers. But there are another half a billion unknowing users. ESET says that it was chosen by Google to provide protective functions in the Chrome browser. That’s to provide security against unsafe websites and other dangers. Of course, for non-ESET users, that protection is provided only when the user is within Chrome.

In Bratislava, ESET has a Houston-like monitoring centre, with large screens on the walls showing possible infections across Europe and across the world. It’s necessarily an incomplete picture since the information it is installed ESET software which provides it, and it requires an opt-in. Still, having been in the business for so long, ESET has been able to follow the development of malware attacks as they’ve developed across the decades.

UEFI attacks

Most recently, it has incorporated a UEFI scanner into its virus protection products. UEFI stands for Universal Extensible Firmware Interface. All computers have a BIOS – Basic Input/Output System. The interface to those was generally proprietary until around 2000. Then Intel started the process of standardisation by releasing the Extensible Firmware Interface. By 2005 a coalition of computer makers had developed a “Universal” version of this.

ESET
Monitor showing threats

That made for improved convenience for users and easier implementation of computer functionality. That’s what standardisation does. It also provided the groundwork necessary for systems such as LoJack for Laptops. That’s a subscription anti-theft system. If enabled, the computer on which it is installed “rings home” periodically. If the computer has been reported stolen, it can remove sensitive files or disable the computer. At higher subscription levels it can help provide law enforcement with information to find the computer. The service is available on some models from many of the major notebook manufacturers.

LoJax

So, if someone steals a LoJack-protected notebook, what can they do to get rid of the protection? Actually, nothing short of re-flashing the BIOS will do the trick. LoJack uses “persistence” technology. It is written into the BIOS, and even if you replace the hard drive, it is re-written to the new drive’s boot sections.

This is wonderful protection for those who choose to enable it. But ESET has found a new attack based on this. Called “LoJax”, a rootkit for hijacking UEFI has been bouncing around Central and Eastern Europe. Essentially, with companion malware, this manages to break through the strong BIOS protections, writes an image of the firmware to disc, infects the image and then writes it back into the hardware.

Once there, LoJack-like it persists. That’s why ESET software’s ability to scan the UEFI is important.

Conclusion

I haven’t done any formal tests on ESET software myself. But I will note that throughout the ESET presentations, I increasingly began squirming about how nakedly exposed my Android phone was to bad actors. So I installed the free ESET for Android software (available through the Play Store) and paid the few bucks to unlock complete functionality.

That said, the ESET’s work in the area was impressive. Throughout a full day of presentation, almost all the talking was done by technical specialists, not marketing types. They answered questions knowledgeably, and almost fully. (Again, ESET was reluctant to name likely State actors behind certain malware attacks.)

Looking at ESET’s website, it has “ESET Smart Security Premium” available from $64.95. There are personal use products available for Macs, Windows and Android, as well as business-orientated products.

Also of interest is ESET’s www.welivesecurity.com website, which contains blogs, news and white papers about malware threats and solutions. You can dig deeper into ESET’s discovery of the LoJax UEFI rootkit and GreyEnergy through the company’s white papers at that site.

(The writer visited ESET’s presentation as a guest of ESET.)