Today > vulnerabilities   -   You can now download lists of IOCs here!

Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications

Nov. 20, 2024, 9:22 a.m.

Tags
ukraine
golang
critical infrastructure
2024-11-19
ot-malware
industrial control systems
bustleberm
modbus tcp
frostygoop
External References
Description

FrostyGoop, an operational technology (OT) malware, disrupted critical infrastructure in Ukraine in early 2024, affecting heating systems for over 600 apartment buildings. It is the first OT-centric malware to use Modbus TCP communications for such an impact. The malware can operate both within compromised networks and externally if devices are internet-accessible. It sends Modbus commands to read or modify data on industrial control systems. New samples and indicators were uncovered, including configuration files and libraries. The malware is compiled using Go and leverages specific open-source libraries. It implements debugger evasion techniques and can encrypt configuration files. Analysis revealed over 1 million Modbus TCP devices exposed to the internet, highlighting the increasing threat to critical infrastructure.

Date

Published: Nov. 19, 2024, 9:59 p.m.

Created: Nov. 19, 2024, 9:59 p.m.

Modified: Nov. 20, 2024, 9:22 a.m.

Indicators

c64b67c116044708e282d0d1a8caea2360270a7fc679befa5e28d1ca15f6714c

a63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c

a25f91b6133cb4eb3ecb3e0598bbab16b80baa40059e623e387a6b1082d6f575

9cf30d82a86a9485f7bbd0786a5de207cf4902691a3efcfc966248cb1e87d5b7

91062ed8cc5d92a3235936fb93c1e9181b901ce6fb9d4100cc01167cdc08745f

5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb

2fd9cb69ef30c0d00a61851b2d96350a9be68c7f1f25a31f896082cfbf39559a

06919e6651820eb7f783cea8f5bc78184f3d437bc9c6cde9bfbe1e38e5c73160

d23491dd351f43f0efad5cee2be80c4049349a7695c0e7de1de632c791356183

c43e506c9b964dddf6fd784bf0cc78b4a2396f47257361dc22e1070e249eae16

bda2503fc02b11258399cfabd0778a997654b5bd7d30e5e3f5bef54a74b914e1

b351e3f475681ab2e8db5b2bbd2beaf26e5b4fd082ca08eba6fffbc76370113c

8891e7562eb4db253a8582376083ca99b19457680f9d36a5ba4108790740785e

7bcfcc90d0bd6c85b5b1cc9f287e161020571a0418afb50f2dd67685e9d3a4fc

716778bab5fb2c439a51362be5941a50d587714d58a6faa39eefa96aa79c1561

564b21c293bc9d0885dc7a87dbf488a497c98d2103d91f5bbcfdb476eb8b6f4c

4dce8b3beba71b8b44b6576ff2497ed68c6fafebd046822f0d60f8758238e900

01082cd4733e5f3e2c3f642fa6c0afb5a9489d39ff26a35549263fc0e02ebad3

http://slackforbusiness.net/main.php

http://slackforbusiness.net/api.php

slackcomtop.aab-e-pak.com

wooofi.com

slackforbusiness.net

nextnovatech.com

macpaw.us

Download all indicators here!

Attack Patterns

BUSTLEBERM

FrostyGoop

T1588.001

T1588.002

T1571

T1497

T1095

T1573

T1106

T1082

T1057

T1083

T1140

T1132

T1027

T1059

CVE-2023-33538

CVE-2024-0012

CVE-2023-50358

Additional Informations

Energy

Romania

Ukraine