Security researchers have discovered a sophisticated piece of malware that uses tricks from the Stuxnet sabotage malware and is specifically designed to target industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems.
Researchers at the security firm FireEye Labs Advanced Reverse Engineering said on Thursday that the malware, dubbed "IRONGATE," affects Siemens industrial control systems.
The malware only works in a simulated environment and is probably just a proof-of-concept that is likely not used in wild; therefore is not yet advanced enough to impact real-world systems.
The Irongate malware "is not viable against operational Siemens control systems," the cybersecurity firm said in its blog post, and the malware "does not exploit any vulnerabilities in Siemens products."
The researchers found this malware fascinating due to its mode of operation that included some Stuxnet-like behavior.
The Stuxnet sabotage malware was allegedly developed by the United States and Israel to disrupt Iran’s nuclear facility and destroyed a several country’s uranium enrichment centrifuges.
Just like Stuxnet, Irongate uses a Man-in-the-Middle (MitM) technique to inject itself between the PLC (Programmable Logic Controller) and the legitimate software monitoring process, checks for defenses before detonating, as well as mask its tracks.
Moreover, to achieve this MitM, like Stuxnet, Irongate replaces a valid Dynamic Link Library (DLL) file with a malicious copy, potentially allowing the malware to target a particular control system configuration.
DLL is a small piece of code that can be used by different programs at the same time.
However, the researchers note that Irongate doesn’t compare to Stuxnet in terms of complexity, ability to propagate, or geopolitical implications.
Moreover, Irongate differs from Stuxnet in the way it avoids detection. While Stuxnet only looked for the presence of various antivirus software on the target systems, Irongate looks for sandbox environments such as VMWare and Cuckoo Sandbox.
FireEye says the firm detected several versions of Irongate on malware database VirusTotal in the second half of 2015, but researchers managed to track down two malware samples to September 2014.
The research team doesn’t think that Irongate is written by the Stuxnet’s authors, as Irongate is not the type of sophistication one would expect from a nation state.
FireEye says Irongate could be a proof-of-concept, a research project, or just a test, which is why the firm went public with the details in order to find out more about the malware sample.
But the question still remains: Who did write Irongate?