Security researchers at Dragos have uncovered the activities of a threat actor that uses password recovery tools to infect Industrial Control Systems (ICS).

After analyzing an incident involving Automation Direct’s DirectLogic PLCs, the researchers discovered that the cracking software exploited a known vulnerability in the device to extract the password.

The software also dropped a malware known as Sality during the recovery process. Sality is a malware that creates a peer-to-peer botnet for various tasks that require the power of distributed computing to complete faster actions such as password cracking or cryptocurrency mining.

Sality can also inject itself into running processes and abuse the Windows autorun function to copy itself into network shares, external drives, and removable storage devices that could transfer it to other systems.

The malicious software and vulnerability identified have been reported to Automation Direct and the manufacturer has released fixes to address them.

Administrators of PLC from other providers should be aware of the risk of using password cracking in ICS environments. Operational technology engineers are also advised to avoid password cracking tools, especially if the source is unknown.

The sources for this piece include an article in BleepingComputer.