Pierluigi Paganini
December 14, 2024
Claroty’s Team82 obtained a sample of a custom-built IoT/OT malware called IOCONTROL used by the Iran-linked threat actors to target devices in infrastructure located in Israel and U.S..
According to the experts Iran-linked threat group CyberAv3ngers reportedly targeted fuel management systems in Israel and the U.S. using custom IoT malware, IOCONTROL, tied to geopolitical tensions.
The researchers believe that the malware is a cyberweapon developed by a nation-state actor to target civilian critical infrastructure.
IOCONTROL is a custom-built, modular malware that can run on a variety of platforms from different vendors..
IOCONTROL was used against multiple device families, including IP cameras, routers, PLCs, HMIs, firewalls, and more. The affected manufacturers include Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.
The CyberAv3ngers group is believed to be part of the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC), they employed the malware in attacks against several hundred Israel-made Orpak Systems and U.S.-made Gasboy fuel management systems in Israel and the United States.
The Iranian group claims to have compromised 200 gas stations in Israel and the U.S. The attacks began in late 2023, coinciding with other industrial system breaches, and continued into mid-2024. The malware remained undetected by VirusTotal antivirus engines as of December 2024.
The experts obtained a malware sample from a Gasboy fuel control system linked to Orpak Systems. Experts have yet to determine how the malware was deployed on the victim systems.
IOCONTROL was hiding inside Gasboy’s Payment Terminal (OrPT). An attacker with full control over the payment terminal means they could shut down fuel services and potentially steal credit card information from customers.
The malware maintains persistence by installing a backdoor on the device before connecting to the C2 infrastructure. The malicious code adds a new rc3.d boot script, which will be executed whenever the device restarts. The experts noticed that the backdoor is located in /etc/rc3.d/S93InitSystemd.sh.
The malware communicates with its C2 server using the MQTT protocol via port 8883, embedding unique device IDs in credentials for control. It employs DNS over HTTPS (DoH) to evade network monitoring tools and encrypts configurations with AES-256-CBC.
Below is the list of supported commands:
| Opcode | Command | Description |
| 0 | Send “hello” | Resend the MQTT hello message with basic device information |
| 1 | Check exec | Check that the malware is installed in /usr/bin/iocontrol and that it is executable, and publishes the string 1:1 |
| 2 | Execute command | Execute arbitrary OS command via system call and publishes the output |
| 3 | Self-delete | Stop the malware execution, as well as remove malware main binary, its persistence service, and related logs files. It then publishes the string 3:1 |
| 8 | Port scan | Scan an IP range in a specific port. The malware receives IP start, IP end and a port to scan. It then publishes the result. |
“We’ve assessed that IOCONTROL is a cyberweapon used by a nation-state to attack civilian critical infrastructure.” concludes the report. “IOCONTROL is believed to be part of a global cyber operation against western IoT and operational technology (OT) devices”
The complete indicators of compromise (IoC) are listed at the bottom of the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(Security Affairs – hacking, IOCONTROL)
