Cyber Security News

Hackers Using New IoT/OT Malware IOCONTROL To Control IP Cameras, Routers, PLCs, HMIs And Firewalls

Recent cyberattacks targeting critical infrastructure, including fuel management systems and water treatment facilities in Israel and the US, have been attributed to the Iranian-backed CyberAv3ngers. 

The attacks, leveraging a custom-built malware named IOCONTROL, exploit vulnerabilities in IoT and OT devices, such as routers, PLCs, HMIs, and firewalls. 

The malware, designed to operate on various platforms, employs the MQTT protocol for covert communication with the attackers’ command-and-control infrastructure, highlighting the growing threat of nation-state actors targeting critical infrastructure for geopolitical and strategic purposes.

CyberAv3ngers script running, and allegedly bricking, Orpak systems.CyberAv3ngers script running, and allegedly bricking, Orpak systems.
CyberAv3ngers script running, and allegedly bricking, Orpak systems.

They compromised Orpak fuel management systems with IOCONTROL malware, likely in mid-October 2023, where the attackers potentially gained access through a Gasboy payment terminal (OrPT) and targeted 200 gas stations in Israel and the US, which could disrupt gas station operations and steal credit card information. 

2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide

The attackers used the domain for command and control. While initial attacks occurred in late 2023, IOCONTROL samples suggest renewed activity in July and August of 2024. 

The key generation routine, performing hash and string operations on a hardcoded GUID.

A combination of static and dynamic analysis methods was utilized in order to conduct an analysis on the IOCONTROL malware sample that was directed at Orpak Fuel Systems. 

Due to its archaic architecture and potentially malicious behavior, emulation using Unicorn was employed to execute and unpack the sample in a controlled environment. The malware was found to use a modified version of the UPX packer to obfuscate its code. 

The encrypted configuration was decrypted using AES-256-CBC with a key and IV derived from a hardcoded GUID, which also served as a unique identifier for the victim and was used to generate other configuration parameters.

A partial list of the configurations used by the malware.

IOCONTROL malware uses DoH (DNS over HTTPS) to stealthily resolve its C2 hostname on Cloudflare’s servers, evading detection by network traffic monitoring tools. 

The malware establishes persistence by adding a boot script and stores itself as “iocontrol” in /usr/bin. It then connects to the C2 using the MQTT protocol on port 8883, authenticating with a GUID-derived client ID, username, and password. 

Upon connection, it sends a “hello” message containing detailed information about the infected device gathered through OS commands, and the malware subscribes to a specific MQTT topic to receive commands from the C2 for execution. 

A reconstruction of the malware’s MQTT connect message.

According to Team 82, it targets embedded Linux devices communicating with a C2 over MQTT and executes commands like remote code execution, self-deletion, and port scanning. 

The malware persists on the device and employs stealth techniques like modified UPX packing and DNS over HTTPS, which has infected various IoT and SCADA devices from multiple vendors, posing a significant threat to industrial control systems.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware has…

49 minutes ago

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as a…

57 minutes ago

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black Banshee,”…

1 hour ago

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear phishing…

1 hour ago

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…

5 hours ago

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded by…

5 hours ago