The unusual malware has been specifically designed to target the core systems cities rely on. A new family of malware has been developed which could have the sole purpose of disrupting core industrial systems, researchers say.
On Thursday, security experts at FireEye said the malware, dubbed Irongate, was crafted to disrupt industrial control systems (ICS) running within simulated Siemens control system environments.
Irongate was discovered while the team was analyzing droppers compiled with PyInstaller and two samples of the malware were uploaded to VirusTotal in 2014 — but they were not detected as malicious code.
The malware has a number of key features. The malware is able to launch a man-in-the-middle (MitM) attack against process input-output (IO) and operator software.
The malware also uses malicious DLL library files to record traffic, which “could allow an attacker to alter a controlled process unbeknownst to process operators,” according to the team.
However, the process behind the MitM is not yet understood — and FireEye suspects operators need to launch the attack manually.
In addition, Irongate is able to avoid sandbox protections and anti-analysis code to prevent researchers from looking into the malicious code too deeply. Irongate is on the lookout for VMware or Cuckoo sandbox environments, and if they are detected, the droppers would not download the malware.
FireEye says the malware mimics Stuxnet in its approach to attacking ICS systems, but currently only does so within simulated environments. While not as complex or potentially damaging as Stuxnet, there are similarities — such as the fact the malware families both target specific processes, both replace DLLs, and both use anti-sandbox techniques.
However, while Irongate specifically looks for malware analysis and observation environments, Stuxnet looked for antivirus software.
Seimen’s ProductCERT security team says Irongate does not work against operational control systems and does not exploit any known vulnerabilities to hijack industrial processes.
FireEye was also unable to link Irongate to specific campaigns or threat actors and says that it may be the case that the malware is a “test case, proof of concept, or research activity for ICS attack techniques.”
This means that Irongate is potentially a proof-of-concept (PoC) sample being used to explore ways to tamper with industrial systems in simulated environments before tackling the real deal. We can only hope the malware does not evolve further in the future and is not let loose against the industrial systems we have grown to rely on.