The GreyEnergy APT primarily uses phishing emails as its initial infection method, according to analysis by Nozomi Networks. The malware has been targeting industrial control systems in Ukraine and Eastern Europe for years, and uses tools that allow it to avoid detection within networks for extended periods of time.
According to Alessandro Di Pinto, a security researcher at Nozomi Networks, the phishing emails contain a Word document that asks victims to “Enable Content.” Once this button is clicked, the malware begins its execution.
The malware sample analyzed by Di Pinto was likely used for espionage campaigns rather than infecting industrial control systems. While malicious Word documents are a common mode of infection in attack campaigns, Di Pinto says that, in this case, the sophistication of the malware makes it stand out.
“Having completed my analysis, it’s evident that the GreyEnergy packer does a great job of slowing down the reverse engineering process. The techniques used are not new, but both the tools and the tactics employed were wisely selected. For example, the threat actor chose to implement custom algorithms that are not too difficult to defeat, but they are hard enough to protect the malicious payload. Additionally, the broad use of anti-forensic techniques, such as the wiping of in-memory strings, underline the attacker’s attempt to stay stealthy and have the infection go unnoticed.”
All of this takes place after a victim enables macros in the malicious Word document. The vast majority of security breaches start with phishing attacks because attackers know that phishing is as effective as it is easy to carry out.
If just one employee falls for a scam, attackers can gain a foothold within the network. New-school, interactive security awareness training is an essential tool for organizations to give their employees the ability to identify phishing emails.
KnowBe4's platform allows you to send simulated phishing attacks with Office documents attached, and you can see if an employee clicks on the "enable content" button, allowing malicious macros to execute. Infosecurity Magazine has the story: https://www.infosecurity-magazine.com/news/phishing-used-to-launch/