Dragos details Trojan Horse malware, password cracking ecosystem affecting industrial operators

Dragos researchers have uncovered a smaller in-scale technique targeting industrial engineers and operators during a routine vulnerability assessment. The technique uses multiple accounts across a variety of social media websites that advertises programmable logic controller (PLC), human-machine interface (HMI), and project file password cracking software. Buyers can retrieve forgotten passwords by ‘running an executable’ provided by the seller that targets a specific industrial system.

Sam Hanson, a Dragos researcher explained in a recent blog post using the example of an advertisement that raises the question, ‘Who would buy this?’ Any information security professional would express caution against downloading and running software from an untrusted party. “Take the following as an example: an engineer named Troy just got promoted to senior engineer when his old colleague, Hector, retired after serving 30 years at an electric utility. Troy needs to update some ladder logic Hector wrote on Automation Direct’s DirectLogic 06 PLC. After firing up the PLC programming software, DirectSOFT, a password prompt pops up,” he added.

“Troy doesn’t know the password, and Hector left a few months ago and is now vacationing on a boat without service indefinitely,” according to Hanson. “Troy looks for answers online, and seeing an advertisement for PLC password cracking software, decides to give it a go. Cassandra, Troy’s security-conscience coworker, warns against introducing this unnecessary risk into their OT environment. But Troy insists this is a time-sensitive task. He purchases the software and runs it on his engineering workstation,” he added.

While, Troy successfully recovers the PLC password, a couple of minutes later he discovers the engineering workstation system is acting strange, the post pointed out. 

The Hanover, Maryland-based company estimates that Automation Direct is far from the only vendor affected. Dragos is aware that this specific threat actor advertises password cracking software for several PLCs, HMIs, and project files from various vendors, including Omron, Siemens, Mitsubishi Electric, LG, and ABB, it added. 

Dragos said that Trojanized software is a common delivery technique for malware and has been proven effective for gaining initial access to a network. “While, in our fictitious example, Troy had a legitimate reason for downloading the password cracking software, doing so from an unknown actor introduced significant and unnecessary risk into the OT environment,” it added.

The company’s researchers confirmed the password retrieval exploit embedded in the malware dropper successfully recovers Automation Direct’s DirectLogic 06 PLC password over a serial connection. “From a user’s perspective, they simply need to have a connection from the Windows machine to the PLC, then specify the COM port to communicate over and click the ‘READPASS’ button. A second or two later, the password is shown to the user,” they added.

Previous research targeting DirectLogic PLCs has resulted in successful cracking techniques. However, Dragos found that this exploit does not crack a scrambled version of the password as historically seen in popular exploitation frameworks. Instead, a specific byte sequence is sent by the malware dropper to a COM port.

“Capturing the serial traffic sent by the exploit allowed Dragos researchers to recreate it outside of the malware dropper,” Hanson wrote. “The malware contains a serial-only version of the exploit, requiring the user to have a direct serial connection from an Engineering Workstation (EWS) to the PLC. Dragos researchers were able to successfully recreate the exploit over Ethernet, increasing the severity of this vulnerability significantly. This vulnerability was assigned CVE-2022-2003 and was responsibly disclosed to Automation Direct. They have released a firmware update to fix this issue,” he added.

Dragos said that it only tested the DirectLogic-targeting malware. “However, initial dynamic analysis of a couple of other samples indicate they also contain malware. In general, it appears there is an ecosystem for this type of software. Several websites and multiple social media accounts exist all touting their password ‘crackers,’” the post added.

Hanson also detailed the Sality, a peer-to-peer botnet for distributed computing tasks such as password cracking and cryptocurrency mining. A Sality infection could risk remote access to an EWS by an unknown adversary. “Dragos assesses with moderate confidence the adversary while having the capability to disrupt industrial processes, has the financial motivation, and may not directly impact operational technology (OT) processes,” he wrote.

Dragos evaluated that Sality employs process injection and files infection to maintain persistence on the host. It abuses Window’s autorun functionality to spread copies of itself over the universal serial bus (USB), network shares, and external storage drives. “This specific sample of Sality also drops clipboard hijacking malware that, every half second, checks the clipboard for a cryptocurrency address format. If seen, the hijacker replaces the address with one owned by the threat actor. This in-real-time hijacking is an effective way to steal cryptocurrency from users wanting to transfer funds and increases our confidence that the adversary is financially motivated.”

“To remain undetected, Sality drops a kernel driver and starts a service to identify any potential security products such as antivirus systems or firewalls and terminates them,” according to Hanson. According to various online reports, Sality can conduct Internet Protocol (IP) filtering against antivirus-related URLs and will drop any outgoing packets containing specific keywords known to be connected to antivirus vendor websites, the post said.

“This could have regulatory implications – since Sality blocks any outgoing connections, antivirus systems will not be able to receive updates violating reliability standard CIP-007-6,” Hanson’s post pointed out. “While Sality makes several attempts to stay hidden, it is quite clear that an infection is taking place. Central Processing Unit (CPU) levels spike to 100% and multiple Windows Defender alerts were triggered,” it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.