Mysterious ICS Malware Targets SCADA Systems

FireEye has come across a mysterious piece of malware that appears to be designed to target industrial control systems (ICS), but which could just be part of someone’s research efforts.

The malware, dubbed “IRONGATE,” was discovered by FireEye during the analysis of droppers compiled with PyInstaller, a tool that bundles a Python application and all its dependencies into a single package. Two samples of the malware payload were uploaded to VirusTotal in 2014, but none of them were flagged as malicious.

IRONGATE is designed to manipulate a specific industrial process in a simulated Siemens control system environment. Siemens has analyzed the threat and determined that the attack would not work against operational control systems and the malware does not exploit any vulnerabilities in the company’s products.

Since it hasn’t identified any threat actors or attacks leveraging this malware, FireEye believes IRONGATE could simply be a proof-of-concept (PoC), a test case, or part of research focusing on ICS attack techniques.

The attack starts with a dropper that checks for the presence of VMware virtual machines and the Cuckoo Sandbox. If these analysis environments are not detected, the payload, a .NET executable named “scada.exe” is deployed on the system.

Once it infects a system, IRONGATE looks for DLL files whose name ends with “Step7ProSim.dll” and replaces them with a malicious version so that it can manipulate the process without being detected.

“IRONGATE’s key feature is a man-in-the-middle (MitM) attack against process input-output (IO) and process operator software within industrial process simulation. The malware replaces a Dynamic Link Library (DLL) with a malicious DLL, which then acts as a broker between a PLC and the legitimate monitoring software,” FireEye explained in a blog post. “This malicious DLL records five seconds of ‘normal’ traffic from a PLC to the user interface and replays it, while sending different data back to the PLC. This could allow an attacker to alter a controlled process unbeknownst to process operators.”

The DLL file replaced by the malware is designed to communicate with Siemens’ PLCSIM environment, which is used to test the functionality of PLC applications before they are used in production. However, Siemens noted that the targeted DLLs are not actually part of its standard product, which means the attack would not work in a real world scenario.

There are several clues that have led FireEye researchers to believe that IRONGATE is just a PoC. In addition to the fact that the malware would not work in a real Siemens control system environment, experts determined that the scada.exe component is not executed automatically, which means someone would need to run it manually to trigger the payload.

Furthermore, the code in the malicious software is very similar to code published on an engineering blog several years ago.

Interestingly, experts discovered some similarities between IRONGATE and the notorious Stuxnet worm used in 2010 to target nuclear facilities in Iran. Both threats target a single, specific process, and they both replace DLLs to manipulate the process.

Unlike Stuxnet, which checked the infected system for antivirus software, IRONGATE is designed to detect virtual machines and sandboxes. Another difference is that Stuxnet did not attempt to hide the fact that it was manipulating a process, while IRONGATE records and replays process data to disguise its activities.

While IRONGATE might be a PoC that has never been used in attacks, FireEye decided to share its findings with the community because the malware provides insight into the mindset of adversaries and allows defenders to find ways of mitigating these attack techniques.