Tainted password-cracking software for industrial systems used to spread P2P Sality bot

Dragos researchers uncovered a small-scale campaign targeting industrial engineers and operators with Sality malware.

During a routine vulnerability assessment, Dragos researchers discovered a campaign targeting industrial engineers and operators with Sality malware.

Threat actors behind the campaign used multiple accounts across several social media platforms to advertise password-cracking software for Programmable Logic Controller (PLC), Human-Machine Interface (HMI), and project files.

The password recovery software is advertised as working against industrial systems from ABB, Allen Bradley, Automation Direct, Fuji Electric, LG, Vigor, Mitsubishi, Omron, Panasonic, Pro-Face, Siemens, and Weintek.

The attackers are attempting to infect industrial control systems (ICS) and create a botnet.

Dragos experts investigated an infection of DirectLogic PLCs from Automation Direct, they performed reverse engineering of the password cracking tool and discovered it did not crack the password at all, rather, it exploited a vulnerability in the firmware to retrieve the password on command. The password cracking software also acts as a dropper for the Sality P2P bot.

According to the experts, the tool successfully recovers Automation Direct’s DirectLogic 06 PLC password by connecting a Windows machine to the PLC over a serial connection.

Dragos researchers were also able to recover the password using the exploit over Ethernet, significantly increasing the severity of the flaw, tracked as CVE-2022-2003.

The CVE-2022-2003 was responsibly disclosed to Automation Direct and the vendor addressed it with the release of a firmware update.

The Sality P2P botnet is known to be involved in password cracking and cryptocurrency mining activities.

“Dragos assesses with moderate confidence the adversary, while having the capability to disrupt industrial processes, has financial motivation and may not directly impact Operational Technology (OT) processes.” reads the advisory published by Dragos. “Sality employs process injection and file infection to maintain persistence on the host. It abuses Window’s autorun functionality to spread copies of itself over Universal Serial Bus (USB), network shares, and external storage drives.”

The sample of the Sality malware employed in the attack analyzed by Dragos also drops clipboard hijacking malware, which checks the clipboard to hijack cryptocurrency wallet addresses.

The Sality malware uses a kernel driver to avoid detection, it also starts a service to identify processes associated with potential security products, and kill them.

“Dragos only tested the DirectLogic-targeting malware. However, initial dynamic analysis of a couple of other samples indicate they also contain malware. In general, it appears there is an ecosystem for this type of software. Several websites and multiple social media accounts exist all touting their password “crackers.”” concludes the report. “Trojanized software is a common delivery technique for malware and has been proven effective for gaining initial access to a network.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Sality malware)

[adrotate banner=”5″]

[adrotate banner=”13″]