Researchers have discovered a new family of malware which is designed for the sole purpose of disrupting some core industrial systems.
Security experts over at FireEye said that they had discovered malware which was created so as to disrupt the industrial control systems which were running the Siemens control system environments. The malware was called the Irongate malware. The malware was discovered as the researchers analyzed various droppers which had been collected by the PyInstaller. Two of the malware’s samples were uploaded onto the VirusTotal 2014 and were somehow not detected as malicious code.
There are some key features on the malware. It can launch a man in the middle attack against the operator software and also including the process input-output. It also makes use of the DLL library files so as to record the traffic, which makes it impossible for the hackers to change one controlled process without the operators knowing about it. The man in the middle attack is unknown so far, and the FireEye researchers say that the launch might have to be automatic.
Irongate is also said to be able to avoid all kinds of protection and most anti-analysis codes, which prevents the researchers to delve deeper into the code. It looks for the VMware or Cuckoo sandbox networks, and if they ate available, then the malware will not be installed. The malware is said to work the same way that Stuxnet is also said to work, which means that it attacks the ICS systems.
At the moment, however, the malware is doing it only in simulated situations. It has not been as dangerous and lethal as Stuxnet at the moment, but there are similarities between the two. Some of the similarities include that the two malware can both target one and specific processes. Both also make use of the anti-sandbox techniques and replace the DLL files.
ProductCERT security team from Seimen said that the malware did not work against any operational control systems and it did not take advantage of any known flaws so as to hijack the industrial processes.
Researchers at FireEye failed to link the malware to any specific hacking actions which had taken place at the moment, which brought the conclusion that the malware might be a test case proof of concept for some ICS attack techniques.