The Hacker News — Cyber Security, Hacking, Technology News

Security researchers have discovered a sophisticated piece of malware that uses tricks from the Stuxnet sabotage malware and is specifically designed to target industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems.

Researchers at the security firm FireEye Labs Advanced Reverse Engineering said on Thursday that the malware, dubbed "IRONGATE," affects Siemens industrial control systems.

The malware only works in a simulated environment and is probably just a proof-of-concept that is likely not used in wild; therefore is not yet advanced enough to impact real-world systems.

The Irongate malware "is not viable against operational Siemens control systems," the cybersecurity firm said in its blog post, and the malware "does not exploit any vulnerabilities in Siemens products."

The researchers found this malware fascinating due to its mode of operation that included some Stuxnet-like behavior.

The Stuxnet sabotage malware was allegedly developed by the United States and Israel to disrupt Iran's nuclear facility and destroyed a several country's uranium enrichment centrifuges.

Just like Stuxnet, Irongate uses a Man-in-the-Middle (MitM) technique to inject itself between the PLC (Programmable Logic Controller) and the legitimate software monitoring process, checks for defenses before detonating, as well as mask its tracks.

Moreover, to achieve this MitM, like Stuxnet, Irongate replaces a valid Dynamic Link Library (DLL) file with a malicious copy, potentially allowing the malware to target a particular control system configuration.

DLL is a small piece of code that can be used by different programs at the same time.

However, the researchers note that Irongate doesn't compare to Stuxnet in terms of complexity, ability to propagate, or geopolitical implications.

Moreover, Irongate differs from Stuxnet in the way it avoids detection. While Stuxnet only looked for the presence of various antivirus software on the target systems, Irongate looks for sandbox environments such as VMWare and Cuckoo Sandbox.

FireEye says the firm detected several versions of Irongate on malware database VirusTotal in the second half of 2015, but researchers managed to track down two malware samples to September 2014.

The research team doesn't think that Irongate is written by the Stuxnet’s authors, as Irongate is not the type of sophistication one would expect from a nation state.

FireEye says Irongate could be a proof-of-concept, a research project, or just a test, which is why the firm went public with the details in order to find out more about the malware sample.

But the question still remains: Who did write Irongate?

• MS15-018 - A Cumulative Security Update, rated as 'critical', affects all supported versions of Internet Explorer and addresses a number of Memory Corruption vulnerabilities, two elevation of privilege vulnerabilities, and a VBscript memory corruption vulnerability.
• MS15-019 - This update addresses a scripting vulnerability in some older versions of Windows operating systems. The vulnerability doesn't affect Windows 7 and later desktop versions.
• MS15-021 - It addresses eight vulnerabilities in the Adobe Font Driver components for Windows and Windows Server exploitable through a malicious website or file. It is also rated 'critical' due to the possibility of remote code execution.
• MS15-022 - This update fixes three unknown flaws in Office document formats as well as multiple cross-site scripting (XSS) issues for SharePoint Server, and applies to all supported versions of Microsoft Office, as well as the server-based Office Web Apps and SharePoint Server products.
• MS15-023 - This bulletin, rated as 'important', addresses four vulnerabilities in the Windows Kernel-Mode driver allowing elevation of privilege and information disclosure attacks by launching a specially-crafted application.