Air-Gapped ICS Systems Targeted by Sophisticated Malware

Security teams in industrial control systems (ICS) environments are fighting a worm that gets past air-gapped defenses.

Researchers from Kaspersky ICS-CERT have been investigating cyberattacks against ICS and critical infrastructure in Eastern Europe, and uncovered a novel second-stage malware that gets around the typical data security that an air gapped system provides. The threat actors were trying to establish a permanent presence on the target networks for data exfiltration, the team said.

First, the attackers use known remote access and data collection tools to gain an initial foothold in the ICS network. Then, they deploy a "sophisticated" modular malware against the air-gapped ICS networks, which contaminates removable storage drives with a worm that exfiltrates targeted data. From there, they are just one step away from being able to transmit stolen data out of the environment.

"The malware, designed explicitly to exfiltrate data from air-gapped systems by infecting removable drives, consist of at least three modules, each responsible for different tasks, such as profiling and handling removable drives, capturing screenshots, and planting second-step malware on newly connected drives," the report says.

The team also spotted another second-stage implant used in the attacks, which sends stolen data from a local computer to Dropbox, the Kaspersky team added.

The cyberattackers were able to evade detection by hiding encrypted payloads in their own binary file and using DLL hijacking to embed the malware in the memory of authorized apps, the researchers explained.

"The threat actor's deliberate efforts to obfuscate their actions through encrypted payloads, memory injections, and DLL hijacking [underscore] the sophistication of their tactics," Kirill Kruglov, senior security researcher at Kaspersky ICS CERT said about the new findings. 

The final piece of the cyberattack chain required to pull off the full data exfiltration would be a third slate of  tools that upload stolen data to the command and control server (C2). Kruglov added that Kasperky's team will continue to investigate.