Saturday, December 7, 2024
HomeCyber Security NewsResearchers Detailed FrostyGoop Malware Attacking ICS Devices

Researchers Detailed FrostyGoop Malware Attacking ICS Devices

Published on

SIEM as a Service

FrostyGoop, a newly discovered OT-centric malware that exploited Modbus TCP to disrupt critical infrastructure in Ukraine, capable of both internal and external attacks, targets industrial control systems (ICS) devices. 

By sending malicious Modbus commands, FrostyGoop can cause physical damage to the environment, as analysis has uncovered additional samples, configuration files, and network communication patterns associated with this threat. 

It’s appearance brings to light the growing concern regarding operational technology malware and the potential for it to have significant effects in the real world.

- Advertisement - SIEM as a Service

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

A newly discovered ICS-centric malware leverages Modbus TCP to target critical infrastructure devices, where attackers exploited a vulnerability in a MikroTik router to deploy the malware, which can be configured to execute specific operations on Modbus devices. 

Disassembled code from a FrostyGoop sample showing a check for the PEB’s BeingDebugged flag.

The malware’s unique characteristics, including its use of an obscure Modbus implementation, JSON configuration, and Goccy’s go-json library, enable its detection and analysis. 

An implementation of a debugger evasion technique demonstrates the level of sophistication it possesses as well as its potential for negative application.

Analysis revealed a Go-based executable, go-encrypt.exe, designed to encrypt and decrypt JSON files using AES-CFB encryption, which generates a 32-byte key stored in a separate file. 

While its direct involvement in the FrostyGoop attack is uncertain, its temporal appearance and alignment with FrostyGoop’s JSON file encryption suggest potential use by attackers to obscure sensitive information within JSON files.

Example of a Python script to convert the decimal value of the key to hexadecimal.

FrostyGoop malware, first seen in October 2023, targets ENCO control devices, primarily in Romania and Ukraine, by exploiting vulnerable Telnet ports to access devices and execute Modbus operations. 

The targeted ENCO devices, often using outdated WR740N routers, pose additional security risks due to potential vulnerabilities, which underscores the critical need for securing industrial control systems and addressing outdated infrastructure.

 Information gleaned from accessing an ENCO device over a web browser.

FrostyGoop samples primarily utilize the Modbus TCP protocol to interact with devices over port 502, whose primary function is reading holding registers using function code 3, as defined in the task_test.json configuration. 

The number of registers read is determined by the word count value in the configuration, while the samples can also perform write operations to single or multiple registers using function codes 6 and 16, respectively.

Recent cyberattacks on ICS/OT devices and critical infrastructure have exposed the vulnerability of OT environments.

Nations like Ukraine, Romania, Israel, China, Russia, and the US have faced attacks, highlighting the need for stronger cybersecurity measures. 

According to Palo Alto Networks, the integration of OT and IT networks has created new attack vectors, while the rise of CS-centric malware like FrostyGoop further exacerbates the threat.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...