Tainted password-cracking software used to spread P2P Sality botSecurity Affairs

Dragos researchers uncovered a small-scale campaign targeting industrial engineers and operators with Sality malware.

During a routine vulnerability assessment, Dragos researchers discovered a campaign targeting industrial engineers and operators with Sality malware.

Threat actors behind the campaign used multiple accounts across several social media platforms to advertise password-cracking software for Programmable Logic Controller (PLC), Human-Machine Interface (HMI), and project files.

The password recovery software is advertised as working against industrial systems from ABB, Allen Bradley, Automation Direct, Fuji Electric, LG, Vigor, Mitsubishi, Omron, Panasonic, Pro-Face, Siemens, and Weintek.

Sality malware

The attackers are attempting to infect industrial control systems (ICS) and create a botnet.

Dragos experts investigated an infection of DirectLogic PLCs from Automation Direct, they performed reverse engineering of the password cracking tool and discovered it did not crack the password at all, rather, it exploited a vulnerability in the firmware to retrieve the password on command. The password cracking software also acts as a dropper for the Sality P2P bot.

According to the experts, the tool successfully recovers Automation Direct’s DirectLogic 06 PLC password by connecting a Windows machine to the PLC over a serial connection.

Dragos researchers were also able to recover the password using the exploit over Ethernet, significantly increasing the severity of the flaw, tracked as CVE-2022-2003.

The CVE-2022-2003 was responsibly disclosed to Automation Direct and the vendor addressed it with the release of a firmware update.

The Sality P2P botnet is known to be involved in password cracking and cryptocurrency mining activities.

“Dragos assesses with moderate confidence the adversary, while having the capability to disrupt industrial processes, has financial motivation and may not directly impact Operational Technology (OT) processes.” reads the advisory published by Dragos. “Sality employs process injection and file infection to maintain persistence on the host. It abuses Windows’ autorun functionality to spread copies of itself over Universal Serial Bus (USB), network shares, and external storage drives. ”

The sample of the Sality malware employed in the attack analyzed by Dragos also drops clipboard hijacking malware, which checks the clipboard to hijack cryptocurrency wallet addresses.

The Sality malware uses a kernel driver to avoid detection, it also starts a service to identify processes associated with potential security products, and kill them.

Dragos only tested the DirectLogic-targeting malware. However, initial dynamic analysis of a couple of other samples indicate they also contain malware. In general, it appears there is an ecosystem for this type of software. Several websites and multiple social media accounts exist all touting their password “crackers.” ”Concludes the report. “Trojanized software is a common delivery technique for malware and has been proven effective for gaining initial access to a network. ”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs hacking, Sality malware)













Source

Dragos researchers uncovered a small-scale campaign targeting industrial engineers and operators with Sality malware.

During a routine vulnerability assessment, Dragos researchers discovered a campaign targeting industrial engineers and operators with Sality malware.

Threat actors behind the campaign used multiple accounts across several social media platforms to advertise password-cracking software for Programmable Logic Controller (PLC), Human-Machine Interface (HMI), and project files.

The password recovery software is advertised as working against industrial systems from ABB, Allen Bradley, Automation Direct, Fuji Electric, LG, Vigor, Mitsubishi, Omron, Panasonic, Pro-Face, Siemens, and Weintek.

Sality malware

The attackers are attempting to infect industrial control systems (ICS) and create a botnet.

Dragos experts investigated an infection of DirectLogic PLCs from Automation Direct, they performed reverse engineering of the password cracking tool and discovered it did not crack the password at all, rather, it exploited a vulnerability in the firmware to retrieve the password on command. The password cracking software also acts as a dropper for the Sality P2P bot.

According to the experts, the tool successfully recovers Automation Direct’s DirectLogic 06 PLC password by connecting a Windows machine to the PLC over a serial connection.

Dragos researchers were also able to recover the password using the exploit over Ethernet, significantly increasing the severity of the flaw, tracked as CVE-2022-2003.

The CVE-2022-2003 was responsibly disclosed to Automation Direct and the vendor addressed it with the release of a firmware update.

The Sality P2P botnet is known to be involved in password cracking and cryptocurrency mining activities.

“Dragos assesses with moderate confidence the adversary, while having the capability to disrupt industrial processes, has financial motivation and may not directly impact Operational Technology (OT) processes.” reads the advisory published by Dragos. “Sality employs process injection and file infection to maintain persistence on the host. It abuses Windows’ autorun functionality to spread copies of itself over Universal Serial Bus (USB), network shares, and external storage drives. ”

The sample of the Sality malware employed in the attack analyzed by Dragos also drops clipboard hijacking malware, which checks the clipboard to hijack cryptocurrency wallet addresses.

The Sality malware uses a kernel driver to avoid detection, it also starts a service to identify processes associated with potential security products, and kill them.

Dragos only tested the DirectLogic-targeting malware. However, initial dynamic analysis of a couple of other samples indicate they also contain malware. In general, it appears there is an ecosystem for this type of software. Several websites and multiple social media accounts exist all touting their password “crackers.” ”Concludes the report. “Trojanized software is a common delivery technique for malware and has been proven effective for gaining initial access to a network. ”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs hacking, Sality malware)













Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Multiple Vulnerabilities Discovered in Device42 Asset Management Appliance

A series of vulnerabilities on the popular asset management platform Device42 could be exploited to give attackers full root access to the system, according...

Top 5 best backup practices

Give yourself peace of mind by implementing a new backup strategy with our tips....

Vicarius vsociety enables peer-to-peer networking and open-source collaboration on vulnerability research

Vicarius announced at the Black Hat USA 2022 conference the release of vsociety, a social community...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!