Security researchers have demonstrated a subtle piece of intrusive malware. It uses techniques similar to the Stuxnet sabotage malware to compromise Industrial Control Systems(ICS) and Supervisory Control and Data Acquisition(SCADA) systems. Researchers at security firm FireEye Labs Advanced Reverse Engineering said that malware, designate “IRONGATE” attacks on Siemens industrial control system.
Yet, Irongate Malware Targets Industrial Control Systems is not feasible against operational Siemens control system. According to FireEye’s blog post, Siemens said the malware is not yet advanced enough to impact real-world systems. Irongate “is not viable against operational Siemens control systems,” the company said, and it “does not exploit any vulnerabilities in Siemens products.” This malware also shows behavior similar to stuxnet malware. Since, stuxnet was created by US and Israel to disrupt Iran’s nuclear facility and further destroyed country’s uranium enrichment centrifuges.
Concepts of Irongate Malware
IRONGATE’s main feature is a man-in-the-middle (MitM) attack against process input-output (IO) and process operator software within industrial process simulation. The malware takes over Dynamic Link Library (DLL) by introducing other malicious DLL, after that works as a broker between a PLC and the legitimate monitoring software.
IRONGATE’s second important features includes sandbox violation. Some of the hackers of IRONGATE malware would not work if VMware or Cuckoo Sandbox environments were employed. It prefers this technique to avoid detection and resist analysis and also develop anti-sandbox techniques. It also implies that IRONGATE’s purpose was malicious, as opposed to a tool written for other legitimate purposes.
IRONGATE investigate droppers compiled with PyInstaller technique used by numerous malicious actors. Moreover, dropper includes “payload”, which works for malware.
Unique Features for ICS Malware
Although it is impossible to compare stuxnet with IRONGATE malware in terms of complexity, ability to propagate, or geopolitical implications. IRONGATE shows some of the same features and techniques used by Stuxtnet to centrifuge rotor speeds at the Natanz uranium enrichment facility.
- Pieces of malware look for a single, highly specific process.
- Replaces DLLs to manipulate process.
- IRONGATE detects malware detonation/observation environments, whereas Stuxnet looked for the presence of antivirus software.
Hackere bruger flere teknikker til at angribe på computer af den almindelige brugere, professionelle, industrail sektorer, erhvervslivet og mange flere ved hjælp af skadelige malware. Efter at have taget masser af forebyggende skridt, hackere trænge ind i systemet uden brugerens viden. Hvis du er en af dem, der er inficeret med malware, gå gennem nedenstående given link for at afinstallere dem straks.
Click Here – Get Effective Uninstallation Guide for Malware
FireEye has detected six IRONGATE droppers: bla.exe, update.exe1, update_no_pipe.exe1, update_no_pipe.exe2, update_no_pipe.exe2, update.exe3. But one of these Python-based droppers first checks for execution in a VMware or Cuckoo Sandbox environment. If found, Irongate Malware Targets Industrial Control Systems exists.
Four of the droppers (update.exe1, update_no_pipe.exe1, update_no_pipe.exe2, and update.exe3) detect Cuckoo environments by scanning subdirectories of the %SystemDrive%. Directories with names greater than five, but fewer than ten characters are inspected for the subdirectories drop, files, logs, memory, and shots.
WriteInputPoint(0x110, 0, 0x7763)
WriteInputPoint(0x114, 0, 0x7763)
Equivalent pseudo code from Biogas.exe:
S7ProSim.WriteInputPoint(0x110, 0, (short)this.Pressure.Value)
S7ProSim.WriteInputPoint(0x114, 0, (short)this.Temperature.Value)
The remaining dropper, update.exe2, contains the artifacts
File MD5 Hashes and Compile Times
For more info, visit this link – https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html