ICS-focused IRONGATE malware has some interesting tricks up its sleeve

FireEye researchers discovered a malware family that’s obviously meant to target ICS systems, but found no evidence that it was ever used in the wild.

They were unable to associate it with any campaigns or threat actors, and posit that it simply could be “a test case, proof of concept, or research activity for ICS attack techniques.”

IRONGATE malware analysis

Nevertheless, they decided to share what they discovered with the research community and the wider public as, to date, not many instances of ICS and SCADA malware have been detected and analyzed.

Results of IRONGATE analysis

The researchers unearthed the samples in late 2015, while searching for droppers compiled with PyInstaller. As it turned out, the IRONGATE droppers are Python scripts converted to executables using the very same software.

They were uploaded to VirusTotal, but were not detected as malicious by the AV engines used by the service – despite some of its strings including the word “dropper” and containing a module named scada.exe.

“While IRONGATE malware does not compare to Stuxnet in terms of complexity, ability to propagate, or geopolitical implications, it leverages some of the same features and techniques Stuxtnet used to attack centrifuge rotor speeds at the Natanz uranium enrichment facility; it also demonstrates new features for ICS malware,” the researchers note.

Both pieces of malware look for a single, highly specific process, and both replace DLLs to achieve process manipulation, they found.

“IRONGATE’s key feature is a man-in-the-middle (MitM) attack against process input-output (IO) and process operator software within industrial process simulation,” the researchers explained.

“The malware replaces a Dynamic Link Library (DLL) with a malicious DLL, which then acts as a broker between a PLC and the legitimate monitoring software. This malicious DLL records five seconds of ‘normal’ traffic from a PLC to the user interface and replays it, while sending different data back to the PLC. This could allow an attacker to alter a controlled process unbeknownst to process operators.”

The malware is also able to detect the use of VMware or Cuckoo Sandbox environments, and won’t run if it does.

What’s the malware’s purpose?

There are many things that indicate the malware could be just a PoC that was not used in the wild. Also, the Siemens ProductCERT has confirmed that the code would not work against a standard Siemens control system environment.

Dragos Security CEO Robert Lee managed to pump the FireEye team for additional information, and discovered that the malware was submitted to VirusTotal through the web interface in Israel in 2014.

“The combination of a manual upload, the malware not being in the wild (e.g. actively infecting sites), and the tool being written in Python against a simulated environment makes me think that the malware is a penetration testing or security product demo tool and not a proof-of-concept for a capable adversary,” he opined. “Generally speaking, APTs do not normally write tools in Python and submit them to VirusTotal.”

“The malware’s attention to ICS and its focus on mimicking capabilities present in Stuxnet reinforced what many of us in the community knew: ICS is a viable target and attackers are getting smarter on how to impact ICS with ICS specific knowledge sets,” Lee also pointed out.

“The unique nature of ICS offers defenders many advantages in countering adversaries but it is not enough. You cannot rest on the fact that ‘ICS is unique’ or ‘ICS can be hard to figure out’ as a defense mechanism. It is a great vantage point for defenders but must be taken advantage of or adversaries will overcome it.”

Lior Frenkel, CEO of Waterfall Security, also believes that attacks of the Stuxnet kind, and upcoming variations on the same theme, are in the pipeline.

“Every manager of an industrial control site or critical infrastructure must take this real threat very seriously with significant steps that will deliver better protection. And I am referring to online remote attack prevention, not just detection after the fact.”

“To make matters worse, these attacks will increase in their sophistication and complexity so any solution needs to be completely comprehensive and robust to cover the full perimeter of an ICS site,” he noted, adding that unidirectional gateways are the optimal solution for these attacks.

FireEye researchers believe that integrity checks and code signing could also help prevent attacks with malware like IRONGATE.

“Develop mechanisms for sanity checking IO data, such as independent sensing and backhaul, and comparison with expected process state information,” they advised to ICS asset owners. “Ignorance of expected process state facilitates an attacker’s ability to achieve physical consequence without alarming operators.”

More technical details about the analyzed samples can be found in FireEye’s report.