Iran-affiliated threat actors have recently been connected to a new custom malware designed to target IoT and operational technology (OT) environments in Israel and the United States. Known as IOCONTROL, this malware has the capability to attack IoT and supervisory control and data acquisition (SCADA) devices such as IP cameras, routers, PLCs, HMIs, firewalls, and other Linux-based IoT/OT platforms. Despite being custom-built, the malware is versatile enough to run on various platforms from different vendors due to its modular configuration, according to OT cybersecurity company Claroty.
IOCONTROL marks the tenth malware family to specifically target Industrial Control Systems (ICS), following notorious predecessors like Stuxnet, Havex, and Triton. Claroty analyzed a malware sample extracted from a Gasboy fuel management system compromised by the Cyber Av3ngers hacking group. This cyber weapon was embedded within Gasboy’s Payment Terminal, giving the threat actors the ability to shut down fuel services and potentially steal credit card information from customers.
The malware’s end goal is to deploy a backdoor that activates upon device restart. Notably, IOCONTROL uses MQTT, a common messaging protocol in IoT devices, for communications, enabling threat actors to disguise malicious traffic. Furthermore, the malware resolves command-and-control (C2) domains using Cloudflare’s DNS-over-HTTPS (DoH) service, a tactic employed by Chinese and Russian nation-state groups to avoid detection when sending DNS requests in cleartext.
Upon establishing a successful C2 connection, IOCONTROL transmits device information to the server and awaits further commands for execution. This includes the ability to execute arbitrary operating system commands, terminate the malware, and scan an IP range on a specific port. With support for basic commands like arbitrary code execution and self-delete, the malware can control remote IoT devices and perform lateral movement if necessary.
In conclusion, the emergence of IOCONTROL underscores the growing threat to critical infrastructure posed by nation-state cyberattacks. The malware’s sophisticated capabilities and use of evasion tactics highlight the need for enhanced cybersecurity measures to protect against such malicious activities.
Source link