Home Security This Malicious Campaign Targets ICS Systems To Create Botnets

This Malicious Campaign Targets ICS Systems To Create Botnets

Source Link

Researchers discovered a malicious campaign against ICS systems to create botnets. This relatively small-scale campaign infects industrial systems with password-cracking tools.

Malicious Campaign targeting ICS Systems To Create Botnets

According to the details shared via a recent post, researchers from the cybersecurity firm Dragos have caught a severe malware campaign targeting industrial control systems. As observed, this malicious campaign targets ICS systems with password cracking tools for programmable logic controllers (PLCs).

The threat actors advertise these tools on various platforms, claiming to unlock PLC and HMI terminals from multiple brands. The targets include Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi Electric, Pro-Face, Vigor, Panasonic, LG, and more.

In the campaign that the researchers analyzed, they noticed that the advertised password-cracking tool didn’t actually crack anything. Instead, it recovered the password by exploiting a system vulnerability, which, in their case, affected Automation Direct.

Reverse-engineering the supposed password-cracking tool made them identify the underlying malware executing the malicious activities. Identified as “Sality,” this malware typically aims to include infected machines in a botnet. Ultimately, this botnet intends to perform crypto-mining and password cracking activities.

Upon reaching the target system, the malware gains persistence via process injection and file infection. It then even spreads on the network to target other devices by replicating itself onto USBs, external storage drives, and network shares. The payload also drops a clipper malware that keeps checking the clipboard for any crypto wallet address. If detected, the malware replaces it with the attackers’ address to steal money. (This behavior is similar to the Keona clipper.)

Besides, the malware also employs various techniques to evade detection. Nonetheless, its infection may still trigger warning alerts by the antivirus and a raised CPU usage.

The researchers advise users to stay away from different free cracking tools advertised online to avoid such infections.

Let us know your thoughts in the comments.

Related Articles

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)