Researchers at QiAnXin XLab have uncovered a sophisticated Linux-based backdoor dubbed OrpaCrab, specifically targeting industrial systems associated with ORPAK, a company involved in gas stations and oil transportation.
The malware, which was uploaded to VirusTotal in January 2024 from the U.S., employs advanced techniques to evade detection and maintain persistence on compromised systems.
Exploitation of MQTT Protocol for Covert C2 Communication
One of OrpaCrab’s notable features is its utilization of the MQTT (Message Queuing Telemetry Transport) protocol for command and control (C2) communication.
This approach allows the malware to blend its traffic with legitimate MQTT communications, making it challenging for security teams to detect malicious activity.
The backdoor establishes persistence through a script that autostart from “/etc/rc3.d/” and employs AES-256-CBC encryption to obfuscate its configuration information.
Furthermore, OrpaCrab leverages DNS over HTTPS (DoH) to resolve its C2 domain, effectively bypassing traditional DNS monitoring techniques.
Potential Link to CyberAv3ngers Hacking Group
Claroty researchers, who independently analyzed the malware and codenamed it IOCONTROL, reported that it was extracted from a Gasboy fuel management system previously compromised by the CyberAv3ngers hacking group.
This group has been linked to cyberattacks exploiting Unitronics PLCs to breach water systems, suggesting a potential expansion of their targeting to include fuel infrastructure.
The malware’s presence within Gasboy’s Payment Terminal (OrPT) implies that the threat actors had the capability to control payment systems, potentially enabling them to disrupt fuel services and steal customer credit card information.
The discovery of OrpaCrab highlights the evolving threat landscape for operational technology (OT) systems, particularly in critical infrastructure sectors.
The malware’s sophisticated design, including its use of MQTT for C2 communications and its ability to target specific industrial systems, demonstrates the increasing complexity of attacks against OT environments.
This incident serves as a stark reminder for organizations in the energy and transportation sectors to enhance their cybersecurity measures, particularly focusing on securing communication protocols and implementing robust monitoring systems capable of detecting anomalous behavior in industrial control systems.
Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.
