Researchers reveal OT-specific malware in use and in development
Malware that’s made specifically to target industrial control systems (ICS), Internet of Things (IoT) and operational technology (OT) control devices is still rare, but in the last few weeks security researchers have identified two salient threats based on samples uploaded to VirusTotal:
- Claroty’s Team82 researchers have unearthed IOCONTROL, a piece of malware that appears to be generic enough to run on a variety of platforms and devices from different vendors.
- Forescout’s Vedere Labs researchers have pinpointed a piece of malware they dubbed Chaya_003, which is apparently aimed at engineering workstations running Siemens TIA Portal software.
IOCONTROL
“IOCONTROL is believed to be part of a global cyber operation against western IoT and operational technology (OT) devices,” Claroty’s researchers noted.
“Team82 has analyzed a malware sample extracted from [the Gasboy fuel management system] that was allegedly compromised by a threat actor group linked to Iran known as the CyberAv3ngers, which is also believed to be responsible for the Unitronics attack last fall.”
The researchers don’t know how the malware was deployed on the affected systems, but it allows attackers to execute OS commands remotely and delete itself.
“IOCONTROL was hiding inside Gasboy’s Payment Terminal, called OrPT. An attacker with full control over the payment terminal means they had the ability to shut down fuel services and potentially steal credit card information from customers,” they shared.
The malware can apparently run on routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms, manufactured by Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and other vendors.
Chaya_003
Engineering workstations generally run popular operating systems – usually Windows – and dedicated engineering software for commissioning and programming field (OT) devices.
Forescout researchers have searched VirusTotal for two types of artifacts: engineering software executables infected by general-purpose malware, and potentially malicious files that interact with the engineering software.
They limited their search to engineering software developed by Codesys (v2), Rockwell Automation (RSLogix500), Phoenix Contact (PC Worx), Siemens (TIA portal) and Mitsubishi (GX Works), and found:
- Two Ramnit clusters infecting Mitsubishi engineering workstations – the samples were submitted from Canada and the US, respectively
- Three malicious binaries that attempt to kill Siemens TIA Portal processes (along with other processes – browsers, Office apps, etc.) running on an engineering workstation.
Ramnit is a trojan that allows credential theft and remote desktop connections and has been known to infect OT software executables by wrapping malicious code into them.
But Chaya_003 samples piqued their interest because it seems to be OT-specific-malware.
“The malware is very likely targeting machines running Siemens engineering software, since the authors specifically included the Siemens process name [Siemens.Automation.Portal.exe] in the list of processes it attempts to kill, and this type of software would not be running on other environments,” Daniel dos Santos, Senior Director of Threat Research at Forescout’s Vedere Labs, told Help Net Security.
The three samples they analyzed are named test.exe, Isass.exe and elsass.exe, and were submitted from Belgium on October 3 and 4, 2024.
“The names ‘Isass.exe’ and ‘elsass.exe’ indicate deliberate system process name masquerading, probably as an attempt to dupe users into trusting them or to bypass antivirus solutions,” the researchers pointed out.
Chaya_003 uses Discord webhooks for command and control, and allows for system reconnaissance and process disruption.
The messages sent by the malware to the Discord C2 were written in Dutch, English and Spanish. The latter included strings that point to the malware possibly having been developed by groups based in Catalonia and using code “contributed” by StackOverflow and ChatGPT.
“For one of the strings – x86assembly.xyz – we also saw that there was a domain name registered for some time that pointed to an IP address that historically has hosted other malware artifacts,” dos Santos told us.
Forescout researchers believe that the original three samples were uploaded by the developers because they all came from the same location and showed a clear evolutionary pattern. Since then, they’ve been on the lookout for signs of further testing or even deployment (if victims upload samples used against them).
Their advice to defenders is: harden engineering workstations (update software, disable unnecessary ports and services, change predictable credentials); isolate IT, IoT and OT devices via netowrk segmentation and do not expose engineering workstations to the; internet; and monitor for threats.
CISA has recently offered similar advice for protecting human machine interfaces (HMIs) used in water and wastewater systems.