Tainted Password-Cracking Software Used to Deliver Sality Malware

Researchers from Dragos discovered a smaller in-scale technique targeting industrial engineers and operators during their usual vulnerability assessment.

Experts say threat actors used multiple accounts across several social media platforms to advertise password-cracking software for Programmable Logic Controller (PLC), Human-Machine Interface (HMI), and project files.

Advertisements promoting the crackers (Dragos)

Experts from Dragos examine the scenario affecting DirectLogic PLCs from Automation Direct and found that the ‘cracking software’ was exploiting a known vulnerability in the device to extract the password.

Password “Cracking” Software As Seen By a User

“It is found that this exploit does not crack a scrambled version of the password as historically seen in popular exploitation frameworks. Instead, a specific byte sequence is sent by the malware dropper to a COM port”, says Dragos.

The malware holds serial-only version of the exploit that requires the user to have a direct serial connection from an Engineering Workstation (EWS) to the PLC. This vulnerability is tracked as (CVE-2022-2003) and was responsibly disclosed to Automation Direct.

UDP Response from the PLC Containing the Password

Sality Malware

Sality refers to an old, large family of viruses that infect executable files. Modern Sality variants can, among other things, act as a backdoor and connect infected machines to a botnet.

Sality is a peer-to-peer botnet for distributed computing tasks such as password cracking and cryptocurrency mining. A Sality infection could risk remote access to a EWS by an unknown adversary.

It employs process injection and files infection to maintain persistence on the host. It abuses Window’s autorun functionality to spread copies of itself over Universal Serial Bus (USB), network shares, and external storage drives.

Dragos experts say it is an efficient way to steal cryptocurrency from users wanting to transfer funds and increases our confidence that the adversary is financially motivated. The Sality malware uses a kernel driver to avoid detection, it also starts a service to identify processes associated with potential security products, and kill them.

Therefore, “Dragos only tested the DirectLogic-targeting malware. However, an initial dynamic analysis of a couple of other samples indicates they also contain malware. Several websites and multiple social media accounts exist all touting their password “crackers”.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.