揭秘新型OT_IoT网络武器——IOCONTROL.pdf

1、Inside a New OT/IoT Cyberweapon:IOCONTROLNoam Moshe,Claroty Team82$whoamiNoam MosheVulnerability researcher and Claroty Team82 Team Lead-mostly breaking IoT clouds.Master of Pwn Pwn2Own ICSPreviously On“Irans OT Cyber Warfare”Nov 23:APT targets Unitronics PLCsCyberAv3ngers Used in water facilities w

2、orldwideFear and PanicSo We Bought a DeviceDB9RJ11Digital Forensics Key Indicators from PLCXXX.XXX.XXX.XXX1234561.PLC Name,Model&IO2.Date and time on PC during download3.PC username,file title&file download pathway4.Software version during file creation&modification5.Connection type to PLC,IP addres

3、s&port6.PC operating system&languageFindings:At least 3 separate naming conventionsIdentification of exact date and times of compromise to reference back to log dataAt least 3 separate usernames&file pathwaysAll compromised programs used old versions of VisilogicAll PCs running Windows 7 or later an

4、d in EnglishXXX.XXX.XXX.XXXNext On.“Irans OT Cyber Warfare”14 October 2023Infecting Gas Stations?SiteOmat360 Station Automation SoftwareHardcoded creds for both HTTP Server and SSH!Hardcoded creds for both HTTP Server and SSH!IOCONTROLOT/IoT MalwareBaicells,D-Link,Hikvision,Red Lion,Orpak,Phoenix Co

5、ntact,Teltonika,Unitronics.BaicellsPhoenix ContactHikvisionred lionD-LinkUnitronicsTeltonikaObtaining Sample Found sample on VT VT zero detections ARM 32-bit BE Packed IOCONTROL-Unpacking Emulation with UnicornHooked all syscallsSafe executionFound out to be modified UPX IOCONTROL-Unpacking Patched

6、UPXABC!UPX!CRC checksIOCONTROL Victim GUID identifier Encrypted modular configuration Persistency DNS over HTTPs MQTT C2 communication CommandsVictim GUID identifier Specific GUID identify each victim Used as seed for encryption Easy to binary patch instead of compileIOCONTROL Victim GUID identifier