14 DAY TRIAL // Several years have passed since the infamous Stuxnet malware managed to destroy centrifuges in multiple Iranian nuclear power plants, but now security firm FireEye claims to have discovered a new type of ICS/SCADA targeting malware that uses some of the same Stuxnet features.
Nicknamed IRONGATE, the malware targets only ICS/SCADA equipment manufactured by Siemens. FireEye says it detected the malware in the second half of 2015, but it managed to track down some of the malware's samples to September 2014, when multiple entities uploaded different versions of the malware on VirusTotal.
The security firm says detection ratio was zero at that time, and that no attacks with this malware were ever recorded in the wild.
IRONGATE shares some features with Stuxnet
The research team found this malware extremely interesting because of its mode of operation that incorporated some Stuxnet-like behavior.
Just like Stuxnet, IRONGATE used a Man-in-the-Middle technique to injects itself between the PLC (Programmable Logic Controller) and the software monitoring process.
Another feature shared with Stuxnet is how it achieves this MitM by replacing a valid DLL file with a malicious copy.
Researchers also found differences in the way the malware reacts to reverse engineering. While Stuxnet looked for the presence of antivirus software, IRONGATE employs a different approach by looking for sandbox environments like VMWare or Cuckoo Sandbox. If any are found, IRONGATE will refuse to execute its malicious payload.
Another difference is that IRONGATE records and replays process data to hide its activity on infected systems. Stuxnet never attempted to hide its presence, opting to suspend the normal operation of a process after it achieved its goal.
PLC Blaster connection? FireEye says no.
Last month, a team of German researchers revealed PLC Blaster, an SCADA malware family capable of self-replicating like a worm, also targeting Siemens equipment.
PLC Blaster was based on the work of two separate teams of researchers, one that premiered its findings at the Black Hat USA 2015 conference, and one at the Black Hat Asia 2016 conference.
Both fit the timeline of IRONGATE detections, but PLC Blaster lacks one crucial element, and that's the sandbox evasion features.
Despite the presence of an anti-reverse engineering component, typically found in "offensive" malware, FireEye still thinks "IRONGATE’s characteristics lead us to conclude that it is a test, proof of concept, or research activity."
Softpedia has reached out to FireEye to clarify if IRONGATE or PLC Blaster are related, if IRONGATE incorporated some of PLC Blaster's code, and if IRONGATE is something new altogether. The FireEye team has provided the following clarifications in regards to the connection between IRONGATE and PLC Blaster.
"Their research does not deal with attacking the process at all, but with using the PLC as a gateway for propagation. It is interesting research, but we don’t see an immediate connection between it and IRONGATE," Sean McBride, Attack Synthesis Lead for FireEye told Softpedia.
"For example, Klick [author of the researcher presented at Black Hat USA 2015, on which PLC Blaster was based] doesn’t discuss sandbox evasion, man in the middle, file replacement, or manipulation of process IO," Mr. McBride added. "It would be fascinating to see someone combine the two branches of thought into a single malware."
UPDATE: Updated article to include the FireEye statement.