Connect with us

Hi, what are you looking for?



Mysterious ICS Malware Targets SCADA Systems

FireEye has come across a mysterious piece of malware that appears to be designed to target industrial control systems (ICS), but which could just be part of someone’s research efforts.

FireEye has come across a mysterious piece of malware that appears to be designed to target industrial control systems (ICS), but which could just be part of someone’s research efforts.

The malware, dubbed “IRONGATE,” was discovered by FireEye during the analysis of droppers compiled with PyInstaller, a tool that bundles a Python application and all its dependencies into a single package. Two samples of the malware payload were uploaded to VirusTotal in 2014, but none of them were flagged as malicious.

IRONGATE is designed to manipulate a specific industrial process in a simulated Siemens control system environment. Siemens has analyzed the threat and determined that the attack would not work against operational control systems and the malware does not exploit any vulnerabilities in the company’s products.

Since it hasn’t identified any threat actors or attacks leveraging this malware, FireEye believes IRONGATE could simply be a proof-of-concept (PoC), a test case, or part of research focusing on ICS attack techniques.

The attack starts with a dropper that checks for the presence of VMware virtual machines and the Cuckoo Sandbox. If these analysis environments are not detected, the payload, a .NET executable named “scada.exe” is deployed on the system.

Once it infects a system, IRONGATE looks for DLL files whose name ends with “Step7ProSim.dll” and replaces them with a malicious version so that it can manipulate the process without being detected.

“IRONGATE’s key feature is a man-in-the-middle (MitM) attack against process input-output (IO) and process operator software within industrial process simulation. The malware replaces a Dynamic Link Library (DLL) with a malicious DLL, which then acts as a broker between a PLC and the legitimate monitoring software,” FireEye explained in a blog post. “This malicious DLL records five seconds of ‘normal’ traffic from a PLC to the user interface and replays it, while sending different data back to the PLC. This could allow an attacker to alter a controlled process unbeknownst to process operators.”

Advertisement. Scroll to continue reading.

The DLL file replaced by the malware is designed to communicate with Siemens’ PLCSIM environment, which is used to test the functionality of PLC applications before they are used in production. However, Siemens noted that the targeted DLLs are not actually part of its standard product, which means the attack would not work in a real world scenario.

There are several clues that have led FireEye researchers to believe that IRONGATE is just a PoC. In addition to the fact that the malware would not work in a real Siemens control system environment, experts determined that the scada.exe component is not executed automatically, which means someone would need to run it manually to trigger the payload.

Furthermore, the code in the malicious software is very similar to code published on an engineering blog several years ago.

Interestingly, experts discovered some similarities between IRONGATE and the notorious Stuxnet worm used in 2010 to target nuclear facilities in Iran. Both threats target a single, specific process, and they both replace DLLs to manipulate the process.

Unlike Stuxnet, which checked the infected system for antivirus software, IRONGATE is designed to detect virtual machines and sandboxes. Another difference is that Stuxnet did not attempt to hide the fact that it was manipulating a process, while IRONGATE records and replays process data to disguise its activities.

While IRONGATE might be a PoC that has never been used in attacks, FireEye decided to share its findings with the community because the malware provides insight into the mindset of adversaries and allows defenders to find ways of mitigating these attack techniques.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.