Wednesday, August 10, 2022

Malware aimed at industrial engineers discovered

There’s no shortage of tools offered on the internet to help people solve problems. But some are really malware.

According to researchers at Dragos, one is password cracking software for programmable logic controllers (PLCs), Human-Machine Interface (HMI) applications, and project files, which is offered on multiple social media sites. In some cases it will retrieve a password, the researchers said in a blog this week — but only if the PLC application has a vulnerability that can be exploited.

Meanwhile, in the background, the tool is installing a malware dropper, infecting the machine with the Sality malware and turning the host into a peer in Sality’s peer-to-peer botnet.

Dragos found the malware tool can successfully recover Automation Direct’s DirectLogic 06 PLC password over a workstation’s serial connection to a controller by exploiting a vulnerability. This vulnerability, CVE-2022-2003, was disclosed to Automation Direct, which has released a firmware update to fix the problem.

But the researchers also warned the threat actor advertising the so-called cracking application claims it also works on PLC and HMI devices as well as project files from Omron, Siemens, ABB, Delta Automation, Fuji Electric, Mitsubishi, Allen Bradley and others. Dragos didn’t test whether those claims are accurate, but it can confirm the cracking application for those products contains malware.

Images of ads offering PLC password-cracking apps
Dragos offered these examples of PLC password-cracking apps being offered online

The discovery serves as a lesson to organizations that employee security awareness training has to go beyond telling them not to click on links in emails. They have to be regularly reminded to only download applications approved by management.

In explaining who might want to use password-cracking software in an operational technology (OT) environment, Dragos created a fictional situation in which an engineer is promoted and needs to access an application created by his predecessor. Unfortunately, the former employee didn’t leave their password.

“Trojanized software is a common delivery technique for malware, and has been proven effective for gaining initial access to a network,” says the report.

As for the Sality malware, Dragos described it as a peer-to-peer botnet for distributed computing tasks such as password cracking and cryptocurrency mining.

Sality employs process injection and file infection to maintain persistence on the host, the report says. It leverages Windows autorun functionality to spread copies of itself over Universal Serial Bus (USB), network shares, and external storage drives. The sample found by Dragos also drops clipboard hijacking malware that, every half second, checks the clipboard for a cryptocurrency address format. If seen, the hijacker replaces the address with one owned by the threat actor. “This in-real-time hijacking is an effective way to steal cryptocurrency from users wanting to transfer funds, and increases our confidence that the adversary is financially motivated,” the report adds.

To remain undetected, Sality drops a kernel driver and starts a service to identify any potential security products, such as antivirus systems or firewalls, and terminates them. Dragos says that according to various reports online, Sality is able to conduct Internet Protocol (IP) filtering against antivirus-related URLs, and will drop any outgoing packets containing specific keywords known to be connected to antivirus vendor websites. This could have regulatory implications, Dragos says. Since Sality blocks any outgoing connections, antivirus systems will not be able to receive updates, violating reliability standard CIP-007-6.

While Sality makes several attempts to stay hidden, there are obvious signs of infection because central processing unit (CPU) levels will spike 100 per cent and multiple Windows Defender alerts will be triggered.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.