Security researchers at FireEye have spotted a new strain of malware IRONGATE has been designed to compromise industrial control systems (ICS). The malicious code was designed to manipulate a specific industrial process in a simulated Siemens control system environment.
The experts at Siemens have investigated the issue and discovered that it would not work against operational control systems. Another important thing discovered by the experts is that the malware does not exploit any vulnerabilities in the Siemens solutions.
The experts discovered the threat while they were analyzing some droppers compiled with PyInstaller
It is notable that two samples of IRONGATE were uploaded to VirusTotal in 2014, but both weren’t detected as malware.
The researchers highlighted the fact that there aren’t known threat actors that leveraged on the malware since its discovery, a circumstance that suggests the code could be a proof-of-concept (PoC) or a malware designed to study ICS attack techniques.
“In the latter half of 2015, the FireEye Labs Advanced Reverse Engineering (FLARE) team identified several versions of an ICS-focused malware crafted to manipulate a specific industrial process running within a simulated Siemens control system environment. We named this family of malware IRONGATE.” reported FireEye in a blog post.
The attack chain starts with a dropper that checks for the presence of virtualized environment used by researchers to analyze the malware.
IRONGATE droppers would not run if VMware or Cuckoo Sandbox environments were employed.
If IRONGATE doesn’t find a virtualized environment, the dropper serves e .NET executable named “scada.exe.” It is not clear what triggers the MitM payload to install the malicious code. The experts suspect that the malicious payload requires manual execution.
Once a system is infected, IRONGATE searches for all DLL libraries whose name ends with “Step7ProSim.dll” and replaces them with a malicious that allows it to manipulate the associated process.
“IRONGATE’s key feature is a man-in-the-middle (MitM) attack against process input-output (IO) and process operator software within industrial process simulation. The malware replaces a Dynamic Link Library (DLL) with a malicious DLL, which then acts as a broker between a PLC and the legitimate monitoring software. This malicious DLL records five seconds of ‘normal’ traffic from a PLC to the user interface and replays it, while sending different data back to the PLC. This could allow an attacker to alter a controlled process unbeknownst to process operators.”
Experts from Siemens noted that the DLLs targeted by the malware are not used is a standard product making impossible an attack in a real world scenario.
Probably the most interesting discovery made on the IRONGATE malware is its similarity with the popular Stuxnet, according to FireEye both malware target a specific process and use to replace DLLs to manipulate the process.
Below the differences between the two ICS malware:
Let’s hope that IRONGATE will never evolve in a real threat and will never be used by threat actors in the wild.
https://www.surveymonkey.com/r/secbloggerwards2016
Thank you
Pierluigi
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Stuxnet, ICS malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
A cyber attack has been disrupting operations at Synlab Italia, a leading provider of medical…
Russia-linked APT28 group used a previously unknown tool, dubbed GooseEgg, to exploit Windows Print Spooler…
A financially motivated group named GhostR claims the theft of a sensitive database from World-Check…
Researcher demonstrated how to exploit vulnerabilities in the Windows DOS-to-NT path conversion process to achieve…
Japan's CERT warns of a vulnerability in the Forminator WordPress plugin that allows unrestricted file uploads…
This website uses cookies.