IRONGATE, a mysterious ICS Malware discovered in the wild

Pierluigi Paganini June 02, 2016

Experts at FireEye spotted IRONGATE a mysterious strain of malware that appears to be designed to target industrial control systems (ICS).

Security researchers at FireEye have spotted a new strain of malware IRONGATE has been designed to compromise industrial control systems (ICS). The malicious code was designed to manipulate a specific industrial process in a simulated Siemens control system environment.

The experts at Siemens have investigated the issue and discovered that it would not work against operational control systems. Another important thing discovered by the experts is that the malware does not exploit any vulnerabilities in the Siemens solutions.

The experts discovered the threat while they were analyzing some droppers compiled with PyInstaller

It is notable that two samples of IRONGATE were uploaded to VirusTotal in 2014, but both weren’t detected as malware.

The researchers highlighted the fact that there aren’t known threat actors that leveraged on the malware since its discovery, a circumstance that suggests the code could be a proof-of-concept (PoC) or a malware designed to study ICS attack techniques.

“In the latter half of 2015, the FireEye Labs Advanced Reverse Engineering (FLARE) team identified several versions of an ICS-focused malware crafted to manipulate a specific industrial process running within a simulated Siemens control system environment. We named this family of malware IRONGATE.” reported FireEye in a blog post.

The attack chain starts with a dropper that checks for the presence of virtualized environment used by researchers to analyze the malware.

IRONGATE droppers would not run if VMware or Cuckoo Sandbox environments were employed.

If IRONGATE doesn’t find a virtualized environment, the dropper serves e .NET executable named “scada.exe.” It is not clear what triggers the MitM payload to install the malicious code. The experts suspect that the malicious payload requires manual execution.

IRONGATE ICS malware

Once a system is infected, IRONGATE searches for all DLL libraries whose name ends with “Step7ProSim.dll” and replaces them with a malicious that allows it to manipulate the associated process.

“IRONGATE’s key feature is a man-in-the-middle (MitM) attack against process input-output (IO) and process operator software within industrial process simulation. The malware replaces a Dynamic Link Library (DLL) with a malicious DLL, which then acts as a broker between a PLC and the legitimate monitoring software. This malicious DLL records five seconds of ‘normal’ traffic from a PLC to the user interface and replays it, while sending different data back to the PLC. This could allow an attacker to alter a controlled process unbeknownst to process operators.”

Experts from Siemens noted that the DLLs targeted by the malware are not used is a standard product making impossible an attack in a real world scenario.

Probably the most interesting discovery made on the IRONGATE malware is its similarity with the popular Stuxnet, according to FireEye both malware target a specific process and use to replace DLLs to manipulate the process.

Below the differences between the two ICS malware:

  • Both pieces of malware look for a single, highly specific process.
  • Both replace DLLs to achieve process manipulation.
  • IRONGATE detects malware detonation/observation environments, whereas Stuxnet looked for the presence of antivirus software.
  • IRONGATE actively records and plays back process data to hide manipulations, whereas Stuxnet did not attempt to hide its process manipulation, but suspended normal operation of the S7-315 so even if rotor speed had been displayed on the HMI, the data would have been static.

Let’s hope that IRONGATE will never evolve in a real threat and will never be used by threat actors in the wild.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Stuxnet, ICS malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment