Security News > 2022 > July > Botnet malware disguises itself as password cracker for industrial controllers

Botnet malware disguises itself as password cracker for industrial controllers
2022-07-18 19:12

All you have to do is purchase the tool, run it on a Windows PC connected to the industrial controller via serial cable, click a button, and the password for the equipment is revealed.

Under the hood, the software exploits a vulnerability - tracked as CVE-2022-2003 - in the device's Automation Direct firmware to retrieve the password in plain-text on command.

The software is infecting the PC with the Sality malware.

The Sality malware family has been around for almost two decades, first being detected in 2003, and can be commanded by its masterminds to perform other malicious actions, such as attacking routers, F-Secure analysts wrote in a report.

Sality maintains persistence on the host PC through process injection and file infection, and abusing Windows' autorun functionality to spread copies of itself over USB, network shares, and external storage drives, according to Dragos.

Dragos said it found several websites and multiple social media accounts pushing the booby-trapped password crackers, illustrating an ecosystem for such software.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/07/18/password-sality-malware/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-08-31 CVE-2022-2003 Unspecified vulnerability in Automationdirect products
AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext.
network
low complexity
automationdirect
critical
9.1