Air-Gapped ICS Systems Targeted by Sophisticated Malware
Researchers uncovered new worming second-stage tools used to locally exfiltrate data from air gapped ICS environments, putting threat actors one step away from transmission of the info to a C2.
Security teams in industrial control systems (ICS) environments are fighting a worm that gets past air-gapped defenses.
Researchers from Kaspersky ICS-CERT have been investigating cyberattacks against ICS and critical infrastructure in Eastern Europe, and uncovered a novel second-stage malware that gets around the typical data security that an air gapped system provides. The threat actors were trying to establish a permanent presence on the target networks for data exfiltration, the team said.
First, the attackers use known remote access and data collection tools to gain an initial foothold in the ICS network. Then, they deploy a "sophisticated" modular malware against the air-gapped ICS networks, which contaminates removable storage drives with a worm that exfiltrates targeted data. From there, they are just one step away from being able to transmit stolen data out of the environment.
"The malware, designed explicitly to exfiltrate data from air-gapped systems by infecting removable drives, consist of at least three modules, each responsible for different tasks, such as profiling and handling removable drives, capturing screenshots, and planting second-step malware on newly connected drives," the report says.
The team also spotted another second-stage implant used in the attacks, which sends stolen data from a local computer to Dropbox, the Kaspersky team added.
The cyberattackers were able to evade detection by hiding encrypted payloads in their own binary file and using DLL hijacking to embed the malware in the memory of authorized apps, the researchers explained.
"The threat actor's deliberate efforts to obfuscate their actions through encrypted payloads, memory injections, and DLL hijacking [underscore] the sophistication of their tactics," Kirill Kruglov, senior security researcher at Kaspersky ICS CERT said about the new findings.
The final piece of the cyberattack chain required to pull off the full data exfiltration would be a third slate of tools that upload stolen data to the command and control server (C2). Kruglov added that Kasperky's team will continue to investigate.
About the Author
You May Also Like
A Cyber Pros' Guide to Navigating Emerging Privacy Regulation
Dec 10, 2024Identifying the Cybersecurity Metrics that Actually Matter
Dec 11, 2024The Current State of AI Adoption in Cybersecurity, Including its Opportunities
Dec 12, 2024Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024