Iran-linked threat actors have been linked to new custom malware targeting IoT and operational technology (OT) environments in Israel and the US.
The malware received a code name IOCONTROL from cybersecurity company OT Claroty, highlighting its ability to attack IoT and SCADA devices such as IP cameras, routers, programmable logic controllers (PLCs), human machine interfaces (HMIs), firewalls, and other Linux-based based on IoT/OT platforms.
“Although the malware is believed to be custom-built by the threat actor, it appears that the malware is generic enough to run on different platforms from different vendors due to its modular configuration,” the report said. companies. said.
Development is done by IOCONTROL the tenth family of malicious programs to single out Industrial Control Systems (ICS) after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, PIPEDREAM (aka INCONTROLLER), COSMICENERGY and FrostyGoop (aka BUSTLEBERM) to date .
Claroty said it has analyzed a sample of malware extracted from the Gasboy fuel management system, which was previously hacked by a hacking group called Cyber Av3ngerswhich has been linked to cyber attacks using Unitronics PLCs to hack into water supply systems. The malware was embedded in the Gasboy payment terminal, otherwise known as OrPT.
This also means that the threat actors, given their ability to control the payment terminal, also had the means to shut down fuel services and potentially steal customer credit card information.
“Malware is essentially a cyber weapon used by a nation state to attack civilian critical infrastructure; at least one of the victims was the Orpak and Gasboy fuel management systems,” Clarotti said.
The ultimate goal of the infection chain is to deploy a backdoor that is automatically launched every time the device is restarted. A notable aspect of IOCONTROL is its usability MQTTa messaging protocol widely used in IoT devices for communication that allows threat actors to mask malicious traffic.
Moreover, command and control (C2) domains are resolved using Cloudflare’s DNS-over-HTTPS (DoH) service. This approach, already adopted by Chinese and Russian nation-state groups, is important because it allows malware to avoid detection when sending DNS requests in the open.
After a successful C2 connection is established, the malware transmits device information, namely hostname, current user, device name and model, time zone, firmware version, and location, to the server after waiting for further commands to execute.
This includes checking for malware installation in a designated directory, executing arbitrary operating system commands, terminating the malware, and scanning an IP range on a specific port.
“The malware interacts with C2 over a secure MQTT channel and supports basic commands including arbitrary code execution, self-deletion, port scanning and more,” Clarotti said. “This feature is sufficient to control remote IoT devices and perform lateral movement when needed.”
