There’s no shortage of tools offered on the internet to help people solve problems. But some are really malware.
According to researchers at Dragos, one is password cracking software for programmable logic controllers (PLCs), Human-Machine Interface (HMI) applications, and project files, which is offered on multiple social media sites. In some cases it will retrieve a password, the researchers said in a blog this week — but only if the PLC application has a vulnerability that can be exploited.
Meanwhile, in the background, the tool is installing a malware dropper, infecting the machine with the Sality malware and turning the host into a peer in Sality’s peer-to-peer botnet.
Dragos found the malware tool can successfully recover Automation Direct’s DirectLogic 06 PLC password over a workstation’s serial connection to a controller by exploiting a vulnerability. This vulnerability, CVE-2022-2003, was disclosed to Automation Direct, which has released a firmware update to fix the problem.
But the researchers also warned the threat actor advertising the so-called cracking application claims it also works on PLC and HMI devices as well as project files from Omron, Siemens, ABB, Delta Automation, Fuji Electric, Mitsubishi, Allen Bradley and others. Dragos didn’t test whether those claims are accurate, but it can confirm the cracking application for those products contains malware.
The discovery serves as a lesson to organizations that employee security awareness training has to go beyond telling them not to click on links in emails. They have to be regularly reminded to only download applications approved by management.
In explaining who might want to use password-cracking software in an operational technology (OT) environment, Dragos created a fictional situation in which an engineer is promoted and needs to access an application created by his predecessor. Unfortunately, the former employee didn’t leave their password.
“Trojanized software is a common delivery technique for malware, and has been proven effective for gaining initial access to a network,” says the report.
As for the Sality malware, Dragos described it as a peer-to-peer botnet for distributed computing tasks such as password cracking and cryptocurrency mining.
Sality employs process injection and file infection to maintain persistence on the host, the report says. It leverages Windows autorun functionality to spread copies of itself over Universal Serial Bus (USB), network shares, and external storage drives. The sample found by Dragos also drops clipboard hijacking malware that, every half second, checks the clipboard for a cryptocurrency address format. If seen, the hijacker replaces the address with one owned by the threat actor. “This in-real-time hijacking is an effective way to steal cryptocurrency from users wanting to transfer funds, and increases our confidence that the adversary is financially motivated,” the report adds.
To remain undetected, Sality drops a kernel driver and starts a service to identify any potential security products, such as antivirus systems or firewalls, and terminates them. Dragos says that according to various reports online, Sality is able to conduct Internet Protocol (IP) filtering against antivirus-related URLs, and will drop any outgoing packets containing specific keywords known to be connected to antivirus vendor websites. This could have regulatory implications, Dragos says. Since Sality blocks any outgoing connections, antivirus systems will not be able to receive updates, violating reliability standard CIP-007-6.
While Sality makes several attempts to stay hidden, there are obvious signs of infection because central processing unit (CPU) levels will spike 100 per cent and multiple Windows Defender alerts will be triggered.