Security analysts working for Baltimore-based Industrial Control Systems (ICS) security company – Dragos have released an in-depth review of their findings into a new malware which they have named FrostyGoop which targets Industrial Control Systems.
Dragos discovered the Malware in April this year, and according to them, FrostyGoop is the ninth known ICS malware in circulation; however, what makes this malware unique is the fact that it is the 1st ICS-specific malware that has been seen to use Modbus TCP communications to directly impact Operational Technology (OT) systems.
As part of their research into the malware, the Cyber Security Situation Center (CSSC) of the Security Service of Ukraine (Служба безпеки України), shared details with Dragos about a cyber attack on a district energy company in Ukraine, which resulted in a two-day loss of heating to customers.
FrostyGoop was assessed to have been used in the attack which successfully shut off the electricity of 600 apartment buildings in the midst of sub-zero temperatures in January this year.
The adversaries sent malicious Modbus commands to the ENCO controllers used by the energy company, causing inaccurate measurements and system malfunctions.
ENCO control is a universal programmable controller designed for control of district heating substation modules or boiler plant processes, parameter logging and remote modification, transfer of archived data as well as retrieval of metering device readings.
During the investigation into the attack , a discovery was made that suggested adversaries possibly gained access to the victim network months earlier by exploiting an undetermined vulnerability in an externally facing router.
Subsequently, the threat actors deployed a webshell with tunnel capabilities which was accessed predominantly via Tor IP addresses.
The investigation revealed that the adversaries retrieved the contents of the Security Account Manager (SAM) registry hive, allowing them to obtain user credentials from the system.
In January 2024, adversaries initiated L2TP (Layer Two Tunnelling Protocol) connections to Moscow-based IP addresses.
The investigation showed that the network assets of the victim company, including the router, servers, and district heating system controllers, were not adequately segmented, which lead to the facilitation of the attack.
What is FrostyGoop?
From their analysis of the binaries used in the malware, Dragos researchers have identified that FrostyGoop is written in Golang (Go) and is compiled for use on Windows systems and is capable of reading and writing to an ICS device holding registers which contain input, output, and configuration
data.
Information required to initiate a TCP connection and send Modbus commands to a victim ICS device can be specified as command-line arguments or contained within a separate JSON configuration file – indicating the fact that the attacks can be played out in real-time by a remote operator, or run autonomously. The malware uses separate configuration files to specify target IP addresses and Modbus commands, and logs outputs to a console and/or a JSON file.
The FrostyGoop malware checks to see if the target executable is running with any required command line arguments. The malware exits execution if no command line arguments are provided.
Analysis showed that the specific arguments vary by sample, but the functionality remains the same.
Arguments accepted by FrostyGoop would include data such as:
- IP addresses specifying the target device to communicate with
- A “mode” option that correlates to a Modbus command to execute on the ICS device (Read Holding Registers, Write to Single Holding Register, Write to Multiple Holding Registers)
- A Modbus register address on the target ICS device to send Modbus commands to
- A JSON configuration file name: there are two different configuration files accepted by FrostyGoop
- A configuration file containing victim device information such as IP address, Modbus commands, and Modbus register addresses
- A configuration file containing a specific time to begin Modbus TCP communications with the victim device and various lengths to delay the execution of Modbus commands.
- Specify a file name to save logging output
FrostyGoop implements three Modbus commands:
- Command Code 3 – Read Holding Registers – Used to read the value currently in a Modbus holding register (or contiguous block of holding registers)
- Command Code 6 – Write Single Register – Used to write a value to a holding register
- Command Code 16 – Write Multiple Holding Registers – Used to write a value to a block of
contiguous registers
What is ModBus?
Developed in 1979 by Modicon, Modbus is a client/server data communications protocol which runs at the application layer. It was originally designed for use with its programmable logic controllers (PLCs), but has become a de-facto standard communication protocol for communication between Industrial Control Systems in a wide-range of buses and networks.
Modbus is popular in industrial environments mainly because it is openly published and royalty-free. The protocol is maintained by Modbus Organization Inc – A trade organisation of users and suppliers of Modbus capable equipment.
Although capable of being transmitted over various busses, many implementations of Modbus run over Ethernet connections using TCP/IP as the networking protocol. Modbus communicates on port 502 in such environments.
As mentioned previously, Modbus has become the de-facto protocl used in ICS / OT environments. A cursory search on Shodan.io for Internet exposed services on port 502 reveals almost 600,000 devices.
