Brand-New ICS Malware ‘FrostyGoop’ Aims at Vital Infrastructure
Cyberspace analysts have unearthed what they perceive as the ninth Industrial Control Systems (ICS)-oriented malware involved in a disruptive cyber assault on an energy corporation in the Ukrainian city of Lviv earlier this January.
Industrial cyber defense company Dragos has labeled the malware FrostyGoop, characterizing it as the primary malware variant to directly employ Modbus TCP communications to tamper with operational technology (OT) networks. They stumbled upon it in April 2024.
“FrostyGoop is an ICS-specific malware scripted in Golang that can interact directly with Industrial Control Systems (ICS) using Modbus TCP on port 502,” researchers Kyle O’Meara, Magpie (Mark) Graham, and Carolyn Ahlers mentioned in a detailed report shared with The Hacker News.
It is believed that the malware, chiefly tailored to attack Windows systems, has been utilized to breach ENCO controllers with TCP port 502 exposed online. Its origin has not been linked to any previously recognized threat actor or activity cluster.
FrostyGoop is equipped with functionalities to peruse and adjust data on an ICS tool grasping registers harboring inputs, outputs, and setup details. It also takes in optional command line operation arguments, uses configuration files with JSON formatting to specify target IP addresses and Modbus directives, and records output to a console and/or a JSON file.
The occurrence aiming at the municipal district energy company is presumed to have led to a disruption in heating services for over 600 apartment complexes for almost 48 hours.
“The perpetrators transmitted Modbus instructions to ENCO controllers, causing incorrect readings and system glitches,” the researchers articulated in a teleconference, observing that initial access probably stemmed from exploiting a vulnerability in Mikrotik routers in April 2023.
“Mismanagement took nearly two days,” they added.
Despite FrostyGoop predominantly leveraging the Modbus protocol for client/server exchanges, it is not the lone contender. In 2022, Dragos and Mandiant highlighted another ICS malware named PIPEDREAM (also known as INCONTROLLER) that made use of various industrial network protocols like OPC UA, Modbus, and CODESYS for interactions.
This marks the nineth ICS-focused malware after Stuxnet, Havex, Industroyer (also recognized as CrashOverride), Triton (dubbed Trisis as well), BlackEnergy2, Industroyer2, and COSMICENERGY.
The malware’s potential to access or amend data on ICS devices via Modbus poses serious repercussions for industrial activities and public welfare, noted Dragos, pointing out that more than 46,000 internet-reachable ICS devices communicate using the widely-adopted protocol.
“The deliberate targeting of ICS through Modbus TCP on port 502 and the ability to engage directly with various ICS tools pose a critical menace to vital infrastructure spanning multiple sectors,” the researchers emphasized.
“Organizations need to prioritize the enactment of comprehensive cybersecurity frameworks to shield critical infrastructure from similar threats in the upcoming days.”
About Author
