Some people seem surprised that APT malware, like the recent FrostyGoop (what's with this name btw?) sample, are relatively simple pieces of code with no obfuscations and big chunks of code copied from open-source repos on GitHub.

There is one thing you need to understand about state-sponsored actors. They don't do it for the internet clout (at least most of them). They only care about finishing their mission given to them by their commanders. So they will use whatever works for them.

Despite what some people think, obfuscation is mostly used to defeat AV/EDR signature detection, not to thwart manual reverse-engineering (this is only a good side-effect). If the devices you are targeting (like ICS or edge devices) do not traditionally run AV/EDR products, there is no point in wasting time obfuscating your code. Plus there's always a risk of obfuscation breaking the code, or introducing new bugs, and each obfuscated sample should be tested (again more wasted time).

As per the GitHub code - APTs LOVE Open Source. Again, despite what some people think, these groups do not have unlimited resources. In particular, time is limited to 24 hours a day for them like for every human being. Could they develop similar in-house code? Most of them probably could, but this would waste months of development and testing. Here they have a code that simply works, it's easily accessible, and as a bonus was tested by thousands of volunteers across the world. It's a win-win situation.

If you looked at malware that Chinese groups use on edge devices (I will talk more about this on Bsides in SG this year btw - spoiler alert!) it looks mostly similar. No obfuscation, big chunks of code copied from GitHub with slight modifications, or even simply GitHub code 1:1.

On the other hand, these groups can be "advanced" when they need to. They have deep operational knowledge of their targets, they know how to move stealthily while inside the network, and how to hide in plain sight. Most importantly they know how to complete their mission objectives (of course caveats apply to all of these points) - something I saw many RedTeams struggle with (but they had crazy EDR bypasses and obfuscations, only no idea how to finish their mission ;) )

#frostygoop #malware #apt #threatintelligence

New ICS Malware 'FrostyGoop' Targeting Critical Infrastructure

Date: July 23, 2024

CVE: N/A

Vulnerability Type: Exploitation of Modbus TCP communication

CWE: [[CWE-668]], [[CWE-20]], [[CWE-74]]

Sources: The Hacker News, Yahoo News, Dragos

Synopsis

FrostyGoop is a newly identified malware designed to target Industrial Control Systems (ICS) by exploiting Modbus TCP communication protocols. This malware caused significant disruption to critical infrastructure in Lviv, Ukraine, earlier this year.

Issue Summary

In January 2024, FrostyGoop malware targeted an energy company in Lviv, resulting in a 48-hour loss of heating services to over 600 apartment buildings. This malware interacts directly with ICS devices using Modbus TCP over port 502, making it a serious threat to critical infrastructure.

Technical Key Findings

FrostyGoop, written in Golang, can read and write to ICS device registers and uses JSON-formatted configuration files to target specific IP addresses and Modbus commands. Initial access was likely gained through a vulnerability in Mikrotik routers.

Vulnerable Products

ENCO controllers with TCP port 502 exposed and ICS devices using Modbus TCP are particularly vulnerable to this malware.

Impact Assessment

The malware's ability to manipulate ICS devices can lead to significant operational disruptions, inaccurate system measurements, and potential safety hazards, affecting public safety and industrial operations.

Patches or Workarounds

Currently, there are no specific patches available for FrostyGoop.

#FrostyGoop #ICS #ModbusTCP #CriticalInfrastructure #CyberAttack #EnergySector #Ukraine #Dragos #IndustrialControlSystems #Golang #MikrotikVulnerability

FrostyGoop malware used to shut down heat in Ukraine attack

#frostyGoop
https://www.theregister.com/2024/07/23/frostygoop_ics_malware/