ICS Systems Infected with Sality Malware via Password Recovery Tool

A threat actor is gaining access to industrial control systems (ICS) using a Trojan horse password recovery tool that claims to recover passwords for programmable logic controllers (PLC) and Human-Machine Interfaces (HMIs). The malware distribution campaign was identified by security researchers at Dragos, who identified infected Automation Direct DirectLogic PLCs.

PLC password cracking tools are being advertised on social media websites that claim to be able to recover passwords. The tools can be purchased and do indeed allow the password to be recovered; however, not in the way advertised. The tool exploits a vulnerability in the firmware of PLCs which allows the tool to retrieve the password; however, the tool is also a malware dropper that drops Sality malware, which turns the host into a peer in the Sality peer-to-peer botnet.

Dragos reverse engineered the password recovery tool and determined that the tool recovered the password for Automation Direct’s DirectLogic 06 PLC over a serial connection by exploiting the vulnerability CVE-2022-2003. If the user has a direct serial connection from an Engineering Workstation (EWS) to the PLC, malware will be dropped. Dragos reported the vulnerability to Automation Direct and a new version of the firmware has now been released.

The Sality botnet is used for computing tasks such as password cracking and cryptocurrency mining; however, the operator of the botnet could sell access to an infected engineering workstation (EWS) to other threat actors. The password cracking tool was also discovered to drop clipboard hijacking malware, which searches the clipboard for cryptocurrency addresses every 0.5 seconds. If a cryptocurrency address is found, it is replaced with the cryptocurrency address of the threat actor.

Sality malware maintains persistence on an infected host through process injection and file infection and is able to spread copies of itself over Universal Serial Bus (USB), network shares, and external storage devices. While Sality malware does attempt to hide from security solutions, it triggers multiple Windows Defender alerts, and CPU activity on infected devices spikes to 100%, indicating a malware infection.

According to the researchers, Automation Direct is far from the only vendor affected. The threat actor provides a password cracking tool for multiple PLCs, HMIs, and project files from vendors including Allen BradleyOmron, Siemens, ABB, Delta Automation, Fuji Electric, Mitsubishi Electric, Pro-Face, Vigor, Weintek, Panasonic, LG, IDEC, and Fatek.

The use of password cracking tools is a recipe for disaster, as they are commonly used to drop malware. Any user that needs to recover a password for a PLC or HMI should contact the device vendor or Dragos for assistance.

Author: NetSec Editor