Cyber Security News

Hackers Using New IoT/OT Malware IOCONTROL To Control IP Cameras, Routers, PLCs, HMIs And Firewalls

Recent cyberattacks targeting critical infrastructure, including fuel management systems and water treatment facilities in Israel and the US, have been attributed to the Iranian-backed CyberAv3ngers. 

The attacks, leveraging a custom-built malware named IOCONTROL, exploit vulnerabilities in IoT and OT devices, such as routers, PLCs, HMIs, and firewalls. 

The malware, designed to operate on various platforms, employs the MQTT protocol for covert communication with the attackers’ command-and-control infrastructure, highlighting the growing threat of nation-state actors targeting critical infrastructure for geopolitical and strategic purposes.

CyberAv3ngers script running, and allegedly bricking, Orpak systems.

They compromised Orpak fuel management systems with IOCONTROL malware, likely in mid-October 2023, where the attackers potentially gained access through a Gasboy payment terminal (OrPT) and targeted 200 gas stations in Israel and the US, which could disrupt gas station operations and steal credit card information. 

2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide

The attackers used the domain for command and control. While initial attacks occurred in late 2023, IOCONTROL samples suggest renewed activity in July and August of 2024. 

The key generation routine, performing hash and string operations on a hardcoded GUID.

A combination of static and dynamic analysis methods was utilized in order to conduct an analysis on the IOCONTROL malware sample that was directed at Orpak Fuel Systems. 

Due to its archaic architecture and potentially malicious behavior, emulation using Unicorn was employed to execute and unpack the sample in a controlled environment. The malware was found to use a modified version of the UPX packer to obfuscate its code. 

The encrypted configuration was decrypted using AES-256-CBC with a key and IV derived from a hardcoded GUID, which also served as a unique identifier for the victim and was used to generate other configuration parameters.

A partial list of the configurations used by the malware.

IOCONTROL malware uses DoH (DNS over HTTPS) to stealthily resolve its C2 hostname on Cloudflare’s servers, evading detection by network traffic monitoring tools. 

The malware establishes persistence by adding a boot script and stores itself as “iocontrol” in /usr/bin. It then connects to the C2 using the MQTT protocol on port 8883, authenticating with a GUID-derived client ID, username, and password. 

Upon connection, it sends a “hello” message containing detailed information about the infected device gathered through OS commands, and the malware subscribes to a specific MQTT topic to receive commands from the C2 for execution. 

A reconstruction of the malware’s MQTT connect message.

According to Team 82, it targets embedded Linux devices communicating with a C2 over MQTT and executes commands like remote code execution, self-deletion, and port scanning. 

The malware persists on the device and employs stealth techniques like modified UPX packing and DNS over HTTPS, which has infected various IoT and SCADA devices from multiple vendors, posing a significant threat to industrial control systems.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zoom Workplace Apps Vulnerability Enables Malicious Script Injection Through XSS Flaws

A newly disclosed vulnerability in Zoom Workplace Apps (tracked as CVE-2025-27441 and CVE-2025-27442) allows attackers…

1 hour ago

Fortinet Warns of Multiple Vulnerabilities in FortiAnalyzer, FortiManager, & Other Products

Fortinet has revealed and resolved several vulnerabilities within its range of products, such as FortiAnalyzer,…

2 hours ago

Ivanti Released Security Update With The Fixes for Critical Endpoint Manager RCE Vulnerabilities

Ivanti, a prominent enterprise software provider, has issued an urgent security advisory today addressing multiple…

2 hours ago

Over 5,000 Ivanti Connect Secure Devices Exposed to RCE Vulnerabilities

Over 5,000 Ivanti Connect Secure devices remain vulnerable to a critical remote code execution (RCE)…

4 hours ago

CISA Alerts on Actively Exploited CrushFTP Authentication Bypass Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about an actively…

4 hours ago

Over 26,000 Dark Web Discussions Focused on Hacking Financial Organizations

Radware’s comprehensive research into the cybersecurity landscape has uncovered significant trends shaping the financial services…

4 hours ago