Beware of password-cracking software for PLCs and HMIs!

A threat actor is targeting industrial engineers and operators with trojanized password-cracking software for programmable logic controllers (PLCs) and human-machine interfaces (HMIs), exploiting their pressing needs to turn industrial workstations into dangerous bots.

According to Dragos researchers, the adversary seems not to be interested in disrupting industrial processes but making money. The password-cracking software also carries a dropper that infects the machine with Sality malware, which:

• Uses process injection and file infection to achieve persistence
• Identifies security products (AVs, firewalls) and terminates them
• Abuses Windows’ autorun functionality to spread copies of itself over USBs, network shares, and external storage drives
• Makes compromised hosts part of a peer-to-peer botnet that engages in password cracking and cryptocurrency mining
• Drops clipboard-hijacking malware

Software hiding malware

Downloading password-cracking software created by an unknown, untrusted third party is rarely (if ever!) a good idea. Unfortunately, necessity often compels people to make bad decisions.

Thus, industrial engineers who can’t access PLC programming software or an HMI because they don’t know the right password occasionally turn to the internet to find a tool to help them crack it.

Several websites and multiple social media accounts are touting password-cracking software for PLCs, HMIs and project files, Dragos researchers have found. These appear to be tailor-made to work on PLCs and HMIs by AutomationDirect, Omron, Siemens, ABB, Delta Automation, Fuji Electric, Mitsubishi Electric, Pro-Face, Vigor Electric, Weintek, Allen-Bradley, Panasonic, Fatek, IDEC Corp., and LG.

“Dragos only tested the [Automation Direct] DirectLogic-targeting malware. However, initial dynamic analysis of a couple of other samples indicate they also contain malware,” the researchers noted.

The passoword cracker they analyzed does seem to work as advertised, insofar that it is able to recover Automation Direct’s DirectLogic 06 PLC password – but not by cracking it. Instead, it exploits a vulnerability to retrieve it in cleartext format.

Unfortunately, the dropper it drops in the background and the Sality malware the dropper downloads are very bad news for any system, let alone one that’s part of an operation technology (OT) network (or can reach it directly).

The only good news here is that, despite some of its stealthy ways, Sality’s presence on a host cannot be completely hidden. “Central Processing Unit (CPU) levels spiked to 100% and multiple Windows Defender alerts were triggered,” which is how the engineer who used the password cracker was alerted to its potential malicious nature.

Dragos advises engineers who need to recover a lost password not to turn to the internet for help, but to contact them or the vendors of the equipment.