Researchers Detailed FrostyGoop Malware Attacking ICS Devices

FrostyGoop, a newly discovered OT-centric malware that exploited Modbus TCP to disrupt critical infrastructure in Ukraine, capable of both internal and external attacks, targets industrial control systems (ICS) devices. 

By sending malicious Modbus commands, FrostyGoop can cause physical damage to the environment, as analysis has uncovered additional samples, configuration files, and network communication patterns associated with this threat. 

It’s appearance brings to light the growing concern regarding operational technology malware and the potential for it to have significant effects in the real world.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

A newly discovered ICS-centric malware leverages Modbus TCP to target critical infrastructure devices, where attackers exploited a vulnerability in a MikroTik router to deploy the malware, which can be configured to execute specific operations on Modbus devices. 

The malware’s unique characteristics, including its use of an obscure Modbus implementation, JSON configuration, and Goccy’s go-json library, enable its detection and analysis. 

An implementation of a debugger evasion technique demonstrates the level of sophistication it possesses as well as its potential for negative application.

Analysis revealed a Go-based executable, go-encrypt.exe, designed to encrypt and decrypt JSON files using AES-CFB encryption, which generates a 32-byte key stored in a separate file. 

While its direct involvement in the FrostyGoop attack is uncertain, its temporal appearance and alignment with FrostyGoop’s JSON file encryption suggest potential use by attackers to obscure sensitive information within JSON files.

FrostyGoop malware, first seen in October 2023, targets ENCO control devices, primarily in Romania and Ukraine, by exploiting vulnerable Telnet ports to access devices and execute Modbus operations. 

The targeted ENCO devices, often using outdated WR740N routers, pose additional security risks due to potential vulnerabilities, which underscores the critical need for securing industrial control systems and addressing outdated infrastructure.

FrostyGoop samples primarily utilize the Modbus TCP protocol to interact with devices over port 502, whose primary function is reading holding registers using function code 3, as defined in the task_test.json configuration. 

The number of registers read is determined by the word count value in the configuration, while the samples can also perform write operations to single or multiple registers using function codes 6 and 16, respectively.

Recent cyberattacks on ICS/OT devices and critical infrastructure have exposed the vulnerability of OT environments.

Nations like Ukraine, Romania, Israel, China, Russia, and the US have faced attacks, highlighting the need for stronger cybersecurity measures. 

According to Palo Alto Networks, the integration of OT and IT networks has created new attack vectors, while the rise of CS-centric malware like FrostyGoop further exacerbates the threat.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free