Industrial Control Systems Grapple with Novel Malware Worm Bypassing Air-Gapped Defenses
Kaspersky Researchers Discover Malware
Overt Operator
August 01, 2023
Security teams operating in industrial control systems (ICS) environments are wrestling with a cyber worm that breaches even air-gapped defenses.
Kaspersky ICS-CERT researchers, probing cyber attacks against ICS and critical infrastructure in Eastern Europe, have discovered an innovative second-stage malware that bypasses the data security typically afforded by air-gapped systems. The cybercriminals aimed to establish a lasting presence on target networks for data exfiltration, the investigation found.
Initially, the assailants employ known remote access and data collection tools to secure a foothold within the ICS network. Subsequently, they unleash a "sophisticated" modular malware against the air-gapped ICS networks, contaminating removable storage drives with a worm that exports the targeted data. At this stage, they are merely one step away from being able to transmit stolen data out of the system.
"The malware, specifically engineered to exfiltrate data from air-gapped systems by infecting removable drives, consists of at least three modules. Each is responsible for distinct tasks, such as profiling and handling removable drives, capturing screenshots, and installing second-step malware on newly connected drives," the report stated.
Another second-stage implant used in these attacks was detected by the team. This implant transmits stolen data from a local computer to Dropbox, the Kaspersky team revealed.
The cyber attackers evaded detection by cloaking encrypted payloads within their binary file and leveraging DLL hijacking to embed the malware into the memory of authorized applications, the researchers explained.
"The threat actor's deliberate efforts to obfuscate their actions through encrypted payloads, memory injections, and DLL hijacking highlight the sophistication of their tactics," said Kirill Kruglov, a senior security researcher at Kaspersky ICS CERT, speaking on the discoveries, as he was quoted by the company's news site.
To execute the full data exfiltration, the final element of the cyber attack chain would require a third set of tools that upload the stolen data to the command and control server (C2).
Kruglov confirmed that Kaspersky's team is continuing the investigation, underlining the seriousness of the threat to industrial control systems worldwide, media reports stated.