ESET researchers Robert Lipovsky and Anton Cherepanov have released a free tool for the analysis of ICS malware.
The researchers developed an IDAPython script for IDA Pro that could be used by malware researchers and cyber security experts to reverse-engineer binaries that employ the OPC Data Access industrial communications protocol.
“An IDAPython script for IDA Pro that helps reverse engineer binaries that are using the OPC Data Access protocol.” reads the description published on GitHub.
“It can be used to analyse such malware families as Havex RAT and Win32/Industroyer.
The script identifies CLSID, IID, and LIBID constants and creates structures and enumerations. Afterwards, these structures can be used to annotate COM method call parameters.”
The Havex malware has been used in several targeted attacks in the previous months; threat actors used it against different industry sectors.
“If there are other future malware [families] like Industroyer or Havex, [investigators] will have an easier time” finding and analyzing them, Lipovsky says.
“This tool helps you understand what the threat was designed to do,” he says. Detection is important, he says, “but if you want to understand what the attackers are up to, you need to dig in deeply.”
The availability of such kind of open-source tools allows experts to rapidly analyze ICS malware and implement automate defense systems.
Lipovsky and Cherepanov highlighted the importance for ICS/SCADA operators of early detection of the threats.
“A lot of people are downplaying these sorts of things as ‘not an attack.’ Spying is an attack,” said the expert. “These things are detectable.”
Lipovsky announced the tool during a session at the Black Hat hacking conference.
[adrotate banner=”9″]
(Security Affairs – (ICS malware, power outage)
[adrotate banner=”13″]
Since the start of the year, Google released an update to fix the fifth actively…
CERT Polska warns of a large-scale malware campaign against Polish government institutions conducted by Russia-linked…
Citrix urges customers to manually address a PuTTY SSH client flaw that could allow attackers…
Dell disclosed a security breach that exposed millions of customers' names and physical mailing addresses.…
Threat actors exploit recently disclosed Ivanti Connect Secure (ICS) vulnerabilities to deploy the Mirai botnet.…
Cybersecurity firm Zscaler is investigating claims of a data breach after hackers offered access to…
This website uses cookies.