ICS Threat Analysis: New Malware Can Kill Engineering Processes

Dec. 18, 2024, 3:07 p.m.

Description

An analysis of a public malware repository reveals a persistent presence of OT/ICS malware, with engineering workstations being a significant target. Two notable clusters were identified: Mitsubishi engineering workstation software infected with the Ramnit worm, and a new experimental malware named Chaya_003 capable of terminating Siemens engineering processes. The research highlights the evolving threat landscape in OT/ICS environments, emphasizing the need for enhanced security measures. Recommendations include hardening engineering workstations, proper network segmentation, and implementing comprehensive threat monitoring solutions across both IT and OT systems.

External References

https://www.forescout.com/blog/ics-threat-analysis-new-experimental-malware-can-kill-engineering-processes/
https://otx.alienvault.com/pulse/6762dfa9d2336cb75f51de3c
Tags
2024-12-18
ramnit
ics
engineering workstations
ot
siemens
chaya_003
discord c2
process termination
mitsubishi

Date

  • Created: Dec. 18, 2024, 2:43 p.m.
  • Published: Dec. 18, 2024, 2:43 p.m.
  • Modified: Dec. 18, 2024, 3:07 p.m.

Indicators

  • fd8558b8a4165ebb47f120fa237c2ada306c430ae4cb2109eb644fd8b0b82b15
  • fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
  • c1826e0d310a6a02f2ee1b5d88b6c0dd48baa8fe1dd99447e98e42c4ca023c96
  • b16a67f49ce5aa057236d2bff3e1ab2dcc2c6d3f2551e4520f54e125b2e289d8
  • ad5922bcc740e5761a708c526d023450ca278168ebcefaaf80f85815d6d6d24e
  • a1d721db0583eed0077bb8ab542ff15a806d24e2dbf13557b12842bd49995354
  • 9579c6987ac8969d0b0cc0cc2a9da3b034fac41525d96fa79fa02d05813e70f9
  • 8b585155cdc7fcbe3d2fa169b307756557ef0d69afb392726f577a73f11d5a97
  • 703f0aac78d388f1fbe3800697015d092fa70cea2c01f22f456c8b1aa20a2334
  • 69eb2b940ba1fc7bc46699eeb3ff11d921683609f636efae05c0cb796b588a38
  • 5ec05f903cc94d559b8eb23aa749805b78de2845bd2317017bc8e50cdceb613f
  • 5b63ca75f95dc549729bb6261e9dc22f6425547584366188770507bd964221b4
  • 517e35b32c4a1dedb155bbd208422cd5c5d34b5ec378712b7e8182fd26473c7e
  • 1f1035b91db1264eb94aa055cdb50f35f0c27744e77e74b7031e099b112a5837
  • 1b8957804dfa7324d10bf6d7ca22fc038951ab57ab1e6838da9c63ad057c1d20
  • x86assembly.xyz
  • grpaper.com
  • az-security.info
  • 432i.com
  • 0g0d.com
Download all indicators here!

Attack Patterns

  • Chaya_003
  • Ramnit
  • T1489
  • T1518
  • T1082
  • T1057
  • T1071
  • T1102
  • T1204
  • T1553
  • T1059

Additional Informations

  • Energy
  • Manufacturing
  • Belgium
  • Canada
  • United Kingdom of Great Britain and Northern Ireland
  • United States of America