Cyber Security News

Hackers Using New IoT/OT Malware IOCONTROL To Control IP Cameras, Routers, PLCs, HMIs And Firewalls

Recent cyberattacks targeting critical infrastructure, including fuel management systems and water treatment facilities in Israel and the US, have been attributed to the Iranian-backed CyberAv3ngers. 

The attacks, leveraging a custom-built malware named IOCONTROL, exploit vulnerabilities in IoT and OT devices, such as routers, PLCs, HMIs, and firewalls. 

The malware, designed to operate on various platforms, employs the MQTT protocol for covert communication with the attackers’ command-and-control infrastructure, highlighting the growing threat of nation-state actors targeting critical infrastructure for geopolitical and strategic purposes.

CyberAv3ngers script running, and allegedly bricking, Orpak systems.CyberAv3ngers script running, and allegedly bricking, Orpak systems.
CyberAv3ngers script running, and allegedly bricking, Orpak systems.

They compromised Orpak fuel management systems with IOCONTROL malware, likely in mid-October 2023, where the attackers potentially gained access through a Gasboy payment terminal (OrPT) and targeted 200 gas stations in Israel and the US, which could disrupt gas station operations and steal credit card information. 

2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide

The attackers used the domain for command and control. While initial attacks occurred in late 2023, IOCONTROL samples suggest renewed activity in July and August of 2024. 

The key generation routine, performing hash and string operations on a hardcoded GUID.

A combination of static and dynamic analysis methods was utilized in order to conduct an analysis on the IOCONTROL malware sample that was directed at Orpak Fuel Systems. 

Due to its archaic architecture and potentially malicious behavior, emulation using Unicorn was employed to execute and unpack the sample in a controlled environment. The malware was found to use a modified version of the UPX packer to obfuscate its code. 

The encrypted configuration was decrypted using AES-256-CBC with a key and IV derived from a hardcoded GUID, which also served as a unique identifier for the victim and was used to generate other configuration parameters.

A partial list of the configurations used by the malware.

IOCONTROL malware uses DoH (DNS over HTTPS) to stealthily resolve its C2 hostname on Cloudflare’s servers, evading detection by network traffic monitoring tools. 

The malware establishes persistence by adding a boot script and stores itself as “iocontrol” in /usr/bin. It then connects to the C2 using the MQTT protocol on port 8883, authenticating with a GUID-derived client ID, username, and password. 

Upon connection, it sends a “hello” message containing detailed information about the infected device gathered through OS commands, and the malware subscribes to a specific MQTT topic to receive commands from the C2 for execution. 

A reconstruction of the malware’s MQTT connect message.

According to Team 82, it targets embedded Linux devices communicating with a C2 over MQTT and executes commands like remote code execution, self-deletion, and port scanning. 

The malware persists on the device and employs stealth techniques like modified UPX packing and DNS over HTTPS, which has infected various IoT and SCADA devices from multiple vendors, posing a significant threat to industrial control systems.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its…

40 minutes ago

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券), a…

58 minutes ago

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series of…

1 hour ago

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive ransomware,…

1 hour ago

Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

In a recent cyberattack attributed to the Qilin ransomware group, threat actors successfully compromised a…

1 hour ago

Operation HollowQuill Uses Malicious PDFs to Target Academic and Government Networks

A newly uncovered cyber-espionage campaign, dubbed Operation HollowQuill, has been identified as targeting academic, governmental,…

1 hour ago