Security News > 2022 > July > Botnet malware disguises itself as password cracker for industrial controllers
All you have to do is purchase the tool, run it on a Windows PC connected to the industrial controller via serial cable, click a button, and the password for the equipment is revealed.
Under the hood, the software exploits a vulnerability - tracked as CVE-2022-2003 - in the device's Automation Direct firmware to retrieve the password in plain-text on command.
The software is infecting the PC with the Sality malware.
The Sality malware family has been around for almost two decades, first being detected in 2003, and can be commanded by its masterminds to perform other malicious actions, such as attacking routers, F-Secure analysts wrote in a report.
Sality maintains persistence on the host PC through process injection and file infection, and abusing Windows' autorun functionality to spread copies of itself over USB, network shares, and external storage drives, according to Dragos.
Dragos said it found several websites and multiple social media accounts pushing the booby-trapped password crackers, illustrating an ecosystem for such software.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/07/18/password-sality-malware/
Related news
- BadBox malware botnet infects 192,000 Android devices despite disruption (source)
- Malware botnets exploit outdated D-Link routers in recent attacks (source)
- MikroTik botnet uses misconfigured SPF DNS records to spread malware (source)
- New Aquabotv3 botnet malware targets Mitel command injection flaw (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-08-31 | CVE-2022-2003 | Unspecified vulnerability in Automationdirect products AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. | 9.1 |