Malware Aimed At Industrial Engineers Discovered

Share post:

There’s no shortage of tools offered on the internet to help people solve problems. But some are really malware.

According to researchers at Dragos, one is password cracking software for programmable logic controllers (PLCs), Human-Machine Interface (HMI) applications, and project files, which is offered on multiple social media sites. In some cases it will retrieve a password, the researchers said in a blog this week — but only if the PLC application has a vulnerability that can be exploited.

Meanwhile, in the background, the tool is installing a malware dropper, infecting the machine with the Sality malware and turning the host into a peer in Sality’s peer-to-peer botnet.

Dragos found the malware tool can successfully recover Automation Direct’s DirectLogic 06 PLC password over a workstation’s serial connection to a controller by exploiting a vulnerability. This vulnerability, CVE-2022-2003, was disclosed to Automation Direct, which has released a firmware update to fix the problem.

But the researchers also warned the threat actor advertising the so-called cracking application claims it also works on PLC and HMI devices as well as project files from Omron, Siemens, ABB, Delta Automation, Fuji Electric, Mitsubishi, Allen Bradley and others. Dragos didn’t test whether those claims are accurate, but it can confirm the cracking application for those products contains malware.

Images of ads offering PLC password-cracking apps
Dragos offered these examples of PLC password-cracking apps being offered online

The discovery serves as a lesson to organizations that employee security awareness training has to go beyond telling them not to click on links in emails. They have to be regularly reminded to only download applications approved by management.

In explaining who might want to use password-cracking software in an operational technology (OT) environment, Dragos created a fictional situation in which an engineer is promoted and needs to access an application created by his predecessor. Unfortunately, the former employee didn’t leave their password.

“Trojanized software is a common delivery technique for malware, and has been proven effective for gaining initial access to a network,” says the report.

As for the Sality malware, Dragos described it as a peer-to-peer botnet for distributed computing tasks such as password cracking and cryptocurrency mining.

Sality employs process injection and file infection to maintain persistence on the host, the report says. It leverages Windows autorun functionality to spread copies of itself over Universal Serial Bus (USB), network shares, and external storage drives. The sample found by Dragos also drops clipboard hijacking malware that, every half second, checks the clipboard for a cryptocurrency address format. If seen, the hijacker replaces the address with one owned by the threat actor. “This in-real-time hijacking is an effective way to steal cryptocurrency from users wanting to transfer funds, and increases our confidence that the adversary is financially motivated,” the report adds.

To remain undetected, Sality drops a kernel driver and starts a service to identify any potential security products, such as antivirus systems or firewalls, and terminates them. Dragos says that according to various reports online, Sality is able to conduct Internet Protocol (IP) filtering against antivirus-related URLs, and will drop any outgoing packets containing specific keywords known to be connected to antivirus vendor websites. This could have regulatory implications, Dragos says. Since Sality blocks any outgoing connections, antivirus systems will not be able to receive updates, violating reliability standard CIP-007-6.

While Sality makes several attempts to stay hidden, there are obvious signs of infection because central processing unit (CPU) levels will spike 100 per cent and multiple Windows Defender alerts will be triggered.

The post Malware aimed at industrial engineers discovered first appeared on IT World Canada.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Controversial expansion of US surveillance powers nears Senate vote

The US Senate is poised to vote on a significant expansion of Section 702 of the Foreign Intelligence...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways