FireEye Labs published yesterday (2/6/2016) a report about a new strain of malware, targeting industrial control systems (ICS) and supervisory control and data acquisition (SCADA).

It works similarly to the famous Stuxnet malware, replacing the DLL implementing the communication functionality between the monitoring software and the physical component – the programmable logic controller (PLC).

After IronGate successfully deployed its malicious DLL it can both send commands to the PLC and control the displayed status in the monitoring equipment. This enables the entity behind the malware to perform any kind of devastating attack you can think of, for example:

  • Shutting down key elements in sensitive systems while sending data to the monitoring system as they are operating as they should be.
  • Overloading machinery and causing it unrecoverable damage, with potential violent results. Again, the ability to fool the monitoring system is the ace in the sleeve, enabling the attack to go unnoticed before serious damage is done.

This latter one is exactly what Stuxnet, the world’s first digital weapon, has done. According to unofficial reports it increased the pressure in delicate uranium  centrifuges, causing them permanent damage, while fooling monitors to display lower values.

Preventing BEFORE Any Damage is Done

IronGate is a multi-stage malware, written in Python and compiled to a windows executable by PyInstaller. In order to evade detection, it uses virtual machine detection techniques. This enables the malware to sneak through sandbox solutions which fail to hide the fact that they are running over virtualization infrastructure. In Minerva, we use this feature of the malware against it – making it feel like it is still in the sandbox while it actually already arrived to its target. We don’t mind if the malware is a compiled Python script or a Java executable like the jRAT Trojan – if you try to evade security products we’ll get you, if you’re not – they will.

This approach has proven itself once again with this piece of malware. Below is a trace of IronGate’s first stage, executed in our lab on a Minerva-protected machine:

You may see how it avoids deploying its advanced modules and halts its execution after traces of virtual machine are spotted.

This is for comparison the trace of the very same malware sample on unprotected machine, note how it starts to deploy later stage immediately after it completes the environmental tests:

Our solution stops the clock on the malware BEFORE it deployed the dangerous DLL and BEFORE other security vendors detected it.

Want to see us in action? Request a demo!