Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
Essential information
- Published
- 19/11/2024 21:59
- Modified
- 20/11/2024 09:22
- Tags
- 2024-11-19 bustleberm critical-infrastructure frostygoop golang industrial control systems modbus tcp ot-malware ukraine
- Related entities
- 3 vulnerabilities (cve), 25 observables, 14 techniques (mitre), 2 malware, 3 others
Description
FrostyGoop, an operational technology (OT) malware, disrupted critical infrastructure in Ukraine in early 2024, affecting heating systems for over 600 apartment buildings. It is the first OT-centric malware to use Modbus TCP communications for such an impact. The malware can operate both within compromised networks and externally if devices are internet-accessible. It sends Modbus commands to read or modify data on industrial control systems. New samples and indicators were uncovered, including configuration files and libraries. The malware is compiled using Go and leverages specific open-source libraries. It implements debugger evasion techniques and can encrypt configuration files. Analysis revealed over 1 million Modbus TCP devices exposed to the internet, highlighting the increasing threat to critical infrastructure.