New Malware ‘IOCONTROL’ Targets IP Cameras, Routers, PLCs, HMIs & Firewalls

The IOCONTROL malware, developed by Iran-affiliated attackers, targets OT/IoT devices in Israel and the U.S., allowing for remote control, code execution, and potential lateral movement across systems.

Multiple IoT and SCADA/OT device vendors, including Baicells, D-Link, Hikvision, and others, have been targeted by IOCO control attacks by exploiting vulnerabilities in devices like IP cameras, routers, PLCs, HMIs, firewalls, and more, potentially compromising critical infrastructure and systems.

It is a nation-state-sponsored cyberweapon targeting civilian critical infrastructure, as analysis reveals sophisticated malware capabilities and unique communication channels for remote command and control.

screenshot shared on Telegram by CyberAv3ngers

The Iranian-backed CyberAv3ngers group has compromised Israeli and American fuel management systems using a custom-built, cross-platform malware dubbed IOCONTROL, targeting IoT and OT devices like routers, PLCs, HMIs, and firewalls

This attack, likely motivated by geopolitical tensions, highlights the increasing threat of nation-state actors exploiting vulnerabilities in critical infrastructure.

It launched cyberattacks targeting critical infrastructure, including water treatment facilities and fuel management systems, leveraging IoT communication protocols like MQTT to maintain stealthy command and control over compromised devices, demonstrating their capability to disrupt essential services and potentially cause significant harm.

dedicated CyberAv3ngers script running, and allegedly bricking, Orpak systems.

By infecting Gasboy’s OrPT payment terminal within a fuel control system, it potentially allows attackers to steal credit card data and disrupt fueling services. 

ARM-32 bit Big Endian malware sample, identified by the hash 1b39f9b2b96a6586c4a11ab2fdbff8fdf16ba5a0ac7603149023d73f33b84498, was unpacked and analyzed using the Unicorn CPU emulation engine, which was chosen due to the archaic architecture and the need for a controlled execution environment. 

The malware was emulated in a step-by-step process tracing its execution and handling system calls with custom implementations to control its behavior, which allowed for the analysis of its unpacking process, which involved two stages: unpacking utility code and then the main executable and configuration. 

A code snippet from the Python emulation module showing open, read, and syscall implementations.

It was packed with a modified version of the open-source UPX packer to evade detection, which involved altering the UPX magic header and disabling CRC checksum verification. While partially effective against automated detection, it was not sophisticated enough to completely conceal the malicious payload. 

The malware installs a backdoor script (/etc/rc3.d/S93InitSystemd.sh) to ensure persistence and spawns a process (/usr/bin/iocontrol) to communicate with the C2 server using MQTT protocol on port 8883.

The Whois record for the attacker’s C2 domain name.

It also establishes persistence via a boot script, then uses MQTT to connect to the C2 server with a GUID-derived identity and sends a “hello” message containing detailed device information gathered through OS commands and subscribes to a topic for receiving commands from C2. 

According to Claroty, IOCONTROL, a versatile OT/IoT malware framework, targets embedded Linux devices and leverages MQTT for covert C2 communication, enabling remote code execution, self-deletion, port scanning, and persistence. 

The adaptable malware, detected in Gasboy/ORPAK fuel systems, has compromised diverse IoT and SCADA devices from multiple vendors, showcasing its potential for widespread disruption.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here