Mysterious Stuxnet copycat discovered

Security researchers have uncovered new malware targeting industrial control systems that uses similar techniques to those employed by the infamous Stuxnet worm.

Infosec firm FireEye today published a report on the 'Irongate' malware it discovered at the end of last year. 

The researchers found the malware within the database of the Google-owned VirusTotal website, which allows users and security researchers to submit suspicious files for scanning by antivirus software.

Two samples of Irongate had been uploaded in 2014 by different sources, the researchers said, but had not been flagged as malicious by any antivirus vendors' scanners.

FireEye only discovered the malware when searching for suspicious samples compiled by PyInstaller, and noted the references to SCADA (supervisory control and data acquisition for industrial controllers) in the two Irongate samples.

Irongate uses techniques seen in Stuxnet - which manipulates SCADA systems to hide their real readings from industrial processes - to attack industrial controllers.

The Irongate samples FireEye found were crafted to "manipulate a specific industrial process running within a simulated Siemens control system environment", the firm wrote.

The malware is designed to replace a dynamic link library with a malicious DLL. DLLs broker communication between monitoring software and programmable logic controllers (PLC), hardware that monitors and controls industrial processes like opening and closing valves.

Irongate's main goal is to establish a man-in-the-middle position to manipulate the data coming from PLCs to hide its malicious efforts - the same approach taken by Stuxnet.

However, there are differences in how the two malware strains react to their targeted environments: Irongate records and replays data to hide its activity, while Stuxnet simply suspended a normal process operation once it had achieved its aim.

"This malicious DLL records five seconds of 'normal' traffic from a PLC to the user interface and replays it, while sending different data back to the PLC. This could allow an attacker to alter a controlled process unbeknownst to process operators," FireEye wrote of Irongate.

Additionally, Stuxnet hunted for antivirus software, where Irongate searches for virtual machine environments like VMware or Cuckoo Sandbox and won't execute its payload if any are discovered.

FireEye said it has not been unable to identify the creator of the malware or their motives.

Real world threat uncertain

The firm noted, however, that the Irongate samples at the moment appeared to be a proof of concept or part of a research effort for attack techniques.

The firm said Siemens had confirmed the malware won't work against its operational systems, and doesn't exploit any flaws in its products.

But given the malware first appeared in 2014, the researchers said it should serve as a wakeup call to operators of industrial systems to shore up their security.

"Even though process operators face no increased risk from the currently identified members of the Irongate malware family, Irongate provides valuable insight into adversary mindset," they wrote.

"Network security monitoring, indicator of compromise (IoC) matching, and good practice guidance from vendors and other stakeholders represent important defensive techniques for ICS networks."