Botnet malware disguises itself as password cracker for industrial controllers

Can't get into that machine? No problem, just trust this completely sketchy looking tool

Industrial engineers and operators are being lured into running backdoor malware disguised as tools for recovering access to work systems.

These programs offer to crack passwords for specific programmable logic controllers, according to security shop Dragos this month.

According to their online ads, the cracking tools can help unlock products from more than a dozen electronics manufacturing companies, including Siemens, Mitsubishi, Fuji, Panasonic, LG, and Omron.

All you have to do is purchase the tool, run it on a Windows PC connected to the industrial controller via serial cable, click a button, and the password for the equipment is revealed. Under the hood, the software exploits a vulnerability – tracked as CVE-2022-2003 – in the device's Automation Direct firmware to retrieve the password in plain-text on command.

Meanwhile, the software is infecting the PC with the Sality malware.

The Dragos team wrote up these findings after reverse-engineering a sample of the code and its communications with a DirectLogic 06 PLC from Automation Direct. Dragos contacted Automation Direct about the exploit and the company has since released a firmware update to close the hole.

No terrorism threat?

Once running on the PC, Sality joins a peer-to-peer network, and provides remote access to the system. Its intentions appear to be more financial than destructive, with the software nasty aimed at distributed computing tasks, such as cracking passwords and mining cryptocurrency. In addition, it uses a range of techniques to evade detection.

What's weird is that the malware also deploys code to check the clipboard contents for cryptocurrency wallet addresses, and silently rewrites those details to point to another wallet so as to steal people's funds. Remember, this is running on PCs normally connected to industrial equipment, so perhaps the crooks behind this caper just grabbed some generic nasty to use.

"Dragos assesses with moderate confidence the adversary, while having the capability to disrupt industrial processes, has financial motivation and may not directly impact Operational Technology (OT) processes," the team wrote.

The Sality malware family has been around for almost two decades, first being detected in 2003, and can be commanded by its masterminds to perform other malicious actions, such as attacking routers, F-Secure analysts wrote in a report.

Sality maintains persistence on the host PC through process injection and file infection, and abusing Windows' autorun functionality to spread copies of itself over USB, network shares, and external storage drives, according to Dragos.

The malware also takes steps to remain undetected, including dropping a kernel driver to start a service aimed at identifying and terminating potential security tools such as antivirus software and firewalls. Dragos researchers also noted reports from others saying that Sality can run network packet filtering to catch connections involving antivirus-related URLs, and will drop outgoing packets containing specific keywords linked to antivirus-vendor websites.

"This could have regulatory implications – since Sality blocks any outgoing connections, antivirus systems will not be able to receive updates, violating reliability standard CIP-007-6," they wrote.

"While Sality makes several attempts to stay hidden, it is quite clear that an infection is taking place. Central Processing Unit (CPU) levels spikes to 100% and multiple Windows Defender alerts were triggered" when the security firm ran its tests.

Dragos said it found several websites and multiple social media accounts pushing the booby-trapped password crackers, illustrating an ecosystem for such software.

Engineers may have legitimate reasons for downloading such password-cracking software. For example, they may be on a tight project deadline and need to find a forgotten password, or recover access to a device after its operator suddenly quits without documenting these credentials. However, using a sketchy-looking recovery tool from the internet would introduce "significant and unnecessary risk into the OT environment," Dragos and anyone with common sense concluded. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like