Hackers Using New IoT/OT Malware IOCONTROL To Control IP Cameras, Routers, PLCs, HMIs And Firewalls

Recent cyberattacks targeting critical infrastructure, including fuel management systems and water treatment facilities in Israel and the US, have been attributed to the Iranian-backed CyberAv3ngers. 

The attacks, leveraging a custom-built malware named IOCONTROL, exploit vulnerabilities in IoT and OT devices, such as routers, PLCs, HMIs, and firewalls. 

The malware, designed to operate on various platforms, employs the MQTT protocol for covert communication with the attackers’ command-and-control infrastructure, highlighting the growing threat of nation-state actors targeting critical infrastructure for geopolitical and strategic purposes.

They compromised Orpak fuel management systems with IOCONTROL malware, likely in mid-October 2023, where the attackers potentially gained access through a Gasboy payment terminal (OrPT) and targeted 200 gas stations in Israel and the US, which could disrupt gas station operations and steal credit card information. 

2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide

The attackers used the domain for command and control. While initial attacks occurred in late 2023, IOCONTROL samples suggest renewed activity in July and August of 2024. 

A combination of static and dynamic analysis methods was utilized in order to conduct an analysis on the IOCONTROL malware sample that was directed at Orpak Fuel Systems. 

Due to its archaic architecture and potentially malicious behavior, emulation using Unicorn was employed to execute and unpack the sample in a controlled environment. The malware was found to use a modified version of the UPX packer to obfuscate its code. 

The encrypted configuration was decrypted using AES-256-CBC with a key and IV derived from a hardcoded GUID, which also served as a unique identifier for the victim and was used to generate other configuration parameters.

IOCONTROL malware uses DoH (DNS over HTTPS) to stealthily resolve its C2 hostname on Cloudflare’s servers, evading detection by network traffic monitoring tools. 

The malware establishes persistence by adding a boot script and stores itself as “iocontrol” in /usr/bin. It then connects to the C2 using the MQTT protocol on port 8883, authenticating with a GUID-derived client ID, username, and password. 

Upon connection, it sends a “hello” message containing detailed information about the infected device gathered through OS commands, and the malware subscribes to a specific MQTT topic to receive commands from the C2 for execution. 

According to Team 82, it targets embedded Linux devices communicating with a C2 over MQTT and executes commands like remote code execution, self-deletion, and port scanning. 

The malware persists on the device and employs stealth techniques like modified UPX packing and DNS over HTTPS, which has infected various IoT and SCADA devices from multiple vendors, posing a significant threat to industrial control systems.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free