A sophisticated Linux-based backdoor dubbed OrpaCrab has been discovered targeting operational technology (OT) systems, particularly those associated with gas stations and oil transportation.
Researchers from QiAnXin XLab and Claroty have analyzed the malware, which was extracted from a compromised Gasboy fuel management system.
Stealthy C2 Communication via MQTT
OrpaCrab employs several advanced techniques to maintain stealth and persistence.
The malware utilizes the MQTT (Message Queuing Telemetry Transport) protocol for command and control (C2) communication, effectively blending in with legitimate industrial traffic.
It establishes persistence through a script in “/etc/rc3.d/” and employs AES-256-CBC encryption to obfuscate its configuration information.
To evade detection, OrpaCrab uses DNS over HTTPS (DoH) to resolve its C2 domain, bypassing traditional DNS monitoring.
The backdoor communicates with its C2 server using three main MQTT topics for uploading initial device information, receiving instructions, and returning command execution results.
Potential Supply Chain Attack Vector
While the initial infection vector remains unclear, the presence of OrpaCrab within Gasboy’s Payment Terminal (OrPT) suggests a possible supply chain attack.
This implies that the threat actors, given their ability to control the payment terminal, could potentially shut down fuel services and steal credit card information from customers.
The malware’s capabilities include arbitrary command execution, self-removal, and reconfiguration of the MQTT broker.
These features provide attackers with significant control over compromised systems, potentially allowing them to disrupt critical infrastructure operations.
Claroty researchers have linked OrpaCrab to the CyberAv3ngers hacking group, which has been previously associated with cyberattacks exploiting Unitronics PLCs to breach water systems.
This connection raises concerns about the group’s expanding focus on various critical infrastructure sectors.
The discovery of OrpaCrab highlights the evolving threat landscape for OT systems, particularly in the energy sector.
Its sophisticated design and potential link to a known threat actor underscore the need for enhanced security measures in industrial control systems, especially those managing critical infrastructure like fuel distribution networks.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
 systems.){kind=link}