GreyEnergy malware uses junk code and anti-analysis techniques to evade detection

GreyEnergy is thought to be the successor of another Russia-linked hacking group called BlackEnergy

An analysis of the malware linked with the 2015 cyber-attacks on the Ukrainian power grid reveals that hackers added a large amount of junk code to their malware in a bid to evade detection and to confuse security researchers.

The malware is linked to GreyEnergy - an Advanced Persistent Threat (APT) linked with Russia that has been active for the past three years. It is thought to be the successor of another hacking group, called BlackEnergy.

Cyber-security experts believe BlackEnergy was behind the attack on Ukraine that left 230,000 people without electricity in December 2015. Targets of these groups have typically been the industrial networks of Ukraine and other Eastern European countries.

"The threat actors' broad use of anti-forensic techniques underlines their attempt to be stealthy and ensure that the infection would go unnoticed," said Alessandro Di Pinto, a researcher at industrial cyber-security company Nozomi Networks. Di Pinto's research paper was published on Tuesday.

He started analysing the phishing mechanism of these hacking groups after Slovak cyber-security company ESET uncovered GreyEnergy last October.

Di Pinto examined the GreyEnergy phishing emails, which contained a malicious Microsoft Word document. According to Pinto, when a person opens this document and clicks "enable content", malicious code is downloaded remotely on the victim's network. This code is actually a packer (a bundle of programme-running files) hiding the malware.

The malware then infects the system and uses anti-analysis techniques to hide its true functionality.

Di Pinto found that hackers created the packer executable using several anti-analysis techniques. It contained a large amount of junk code to both obfuscate its purpose, as well as to confuse security researchers. It also contained overlapping instructions, where the same sequence of bytes is interpreted as different instructions.

The binary file of the packer also appears to have had overlay data, which is added at the end of the file and contains an additional executable component.

According to Di Pinto, GreyEnergy packer is capable of slowing down the reverse-engineering process. He suggests that industrial organisations must train employees to recognise malicious emails and attachments, as a first line of defence, in order to protect themselves from threats posed by groups like GreyEnergy.