Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Mysterious ICS Malware Targets SCADA Systems

FireEye has come across a mysterious piece of malware that appears to be designed to target industrial control systems (ICS), but which could just be part of someone’s research efforts.

FireEye has come across a mysterious piece of malware that appears to be designed to target industrial control systems (ICS), but which could just be part of someone’s research efforts.

The malware, dubbed “IRONGATE,” was discovered by FireEye during the analysis of droppers compiled with PyInstaller, a tool that bundles a Python application and all its dependencies into a single package. Two samples of the malware payload were uploaded to VirusTotal in 2014, but none of them were flagged as malicious.

IRONGATE is designed to manipulate a specific industrial process in a simulated Siemens control system environment. Siemens has analyzed the threat and determined that the attack would not work against operational control systems and the malware does not exploit any vulnerabilities in the company’s products.

Since it hasn’t identified any threat actors or attacks leveraging this malware, FireEye believes IRONGATE could simply be a proof-of-concept (PoC), a test case, or part of research focusing on ICS attack techniques.

The attack starts with a dropper that checks for the presence of VMware virtual machines and the Cuckoo Sandbox. If these analysis environments are not detected, the payload, a .NET executable named “scada.exe” is deployed on the system.

Once it infects a system, IRONGATE looks for DLL files whose name ends with “Step7ProSim.dll” and replaces them with a malicious version so that it can manipulate the process without being detected.

“IRONGATE’s key feature is a man-in-the-middle (MitM) attack against process input-output (IO) and process operator software within industrial process simulation. The malware replaces a Dynamic Link Library (DLL) with a malicious DLL, which then acts as a broker between a PLC and the legitimate monitoring software,” FireEye explained in a blog post. “This malicious DLL records five seconds of ‘normal’ traffic from a PLC to the user interface and replays it, while sending different data back to the PLC. This could allow an attacker to alter a controlled process unbeknownst to process operators.”

The DLL file replaced by the malware is designed to communicate with Siemens’ PLCSIM environment, which is used to test the functionality of PLC applications before they are used in production. However, Siemens noted that the targeted DLLs are not actually part of its standard product, which means the attack would not work in a real world scenario.

Advertisement. Scroll to continue reading.

There are several clues that have led FireEye researchers to believe that IRONGATE is just a PoC. In addition to the fact that the malware would not work in a real Siemens control system environment, experts determined that the scada.exe component is not executed automatically, which means someone would need to run it manually to trigger the payload.

Furthermore, the code in the malicious software is very similar to code published on an engineering blog several years ago.

Interestingly, experts discovered some similarities between IRONGATE and the notorious Stuxnet worm used in 2010 to target nuclear facilities in Iran. Both threats target a single, specific process, and they both replace DLLs to manipulate the process.

Unlike Stuxnet, which checked the infected system for antivirus software, IRONGATE is designed to detect virtual machines and sandboxes. Another difference is that Stuxnet did not attempt to hide the fact that it was manipulating a process, while IRONGATE records and replays process data to disguise its activities.

While IRONGATE might be a PoC that has never been used in attacks, FireEye decided to share its findings with the community because the malware provides insight into the mindset of adversaries and allows defenders to find ways of mitigating these attack techniques.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...