Inside a New OT/IoT Cyberweapon: IOCONTROL

Dec. 11, 2024, 7:35 p.m.

Description

Team82 analyzed a sample of IOCONTROL, a custom-built IoT/OT malware used by Iran-affiliated attackers to target Israel and U.S.-based devices. The malware affects various IoT and SCADA/OT devices, including IP cameras, routers, PLCs, HMIs, and firewalls from multiple vendors. IOCONTROL is believed to be part of a global cyber operation against western IoT and OT devices, likely used as a cyberweapon by a nation-state to attack civilian critical infrastructure. The malware uses the MQTT protocol for C2 communication and employs stealth techniques like DNS over HTTPS. It has capabilities for arbitrary code execution, self-deletion, port scanning, and persistence through a daemon installation.

External References

https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol
https://otx.alienvault.com/pulse/6759e5dfca3e1d4cf399f586
Tags
iot
2024-12-11
mqtt
iocontrol
scada

Date

  • Created: Dec. 11, 2024, 7:19 p.m.
  • Published: Dec. 11, 2024, 7:19 p.m.
  • Modified: Dec. 11, 2024, 7:35 p.m.

Indicators

  • 1b39f9b2b96a6586c4a11ab2fdbff8fdf16ba5a0ac7603149023d73f33b84498
  • 159.100.6.69
  • uuokhhfsdlk.tylarion867mino.com
  • ocferda.com
Download all indicators here!

Attack Patterns

  • IOCONTROL
  • CyberAv3ngers

Additional Informations

  • Energy
  • Government
  • Israel
  • United States of America