Industrial infrastructure is under attack by a new generation of cyber threats.
Researchers from the Unit42 team have discovered a new FrostyGoop malware targeting Industrial Equipment Control Systems (ICS) devices. The malware uses the Modbus TCP protocol to attack critical infrastructure, including facilities in Ukraine and Romania. Moreover, the malware is even capable of causing physical damage.
FrostyGoop was first spotted in October 2023. The malware exploits vulnerable Telnet ports of ENCO devices and outdated TP-Link WR740N routers, making systems particularly vulnerable to attacks. The main goal is to access devices and execute Modbus commands.
A special feature of FrostyGoop is the use of a unique JSON configuration and Goccy's go-json library, which makes it easier to analyze its work. The researchers also found an executable «go-encrypt.exe" that encrypts JSON files using AES-CFB. This may indicate that attackers are trying to hide sensitive data.
The malware actively uses Modbus TCP to communicate with devices via port 502. Malicious commands include reading and writing registers using function codes 3, 6, and 16, allowing attackers to control compromised devices.
Experts emphasize that such attacks reveal critical vulnerabilities in outdated infrastructure and emphasize the need to strengthen the protection of industrial systems. With the increasing integration of IT and OT networks, new attack vectors are emerging, making threats from malware like FrostyGoop even more significant.
Attacks on critical infrastructure in countries such as Ukraine, Romania and the United States confirm the urgency of the problem. Experts from Palo Alto Networks emphasize that the protection of legacy systems is a key element of security.
Source
Researchers from the Unit42 team have discovered a new FrostyGoop malware targeting Industrial Equipment Control Systems (ICS) devices. The malware uses the Modbus TCP protocol to attack critical infrastructure, including facilities in Ukraine and Romania. Moreover, the malware is even capable of causing physical damage.
FrostyGoop was first spotted in October 2023. The malware exploits vulnerable Telnet ports of ENCO devices and outdated TP-Link WR740N routers, making systems particularly vulnerable to attacks. The main goal is to access devices and execute Modbus commands.
A special feature of FrostyGoop is the use of a unique JSON configuration and Goccy's go-json library, which makes it easier to analyze its work. The researchers also found an executable «go-encrypt.exe" that encrypts JSON files using AES-CFB. This may indicate that attackers are trying to hide sensitive data.
The malware actively uses Modbus TCP to communicate with devices via port 502. Malicious commands include reading and writing registers using function codes 3, 6, and 16, allowing attackers to control compromised devices.
Experts emphasize that such attacks reveal critical vulnerabilities in outdated infrastructure and emphasize the need to strengthen the protection of industrial systems. With the increasing integration of IT and OT networks, new attack vectors are emerging, making threats from malware like FrostyGoop even more significant.
Attacks on critical infrastructure in countries such as Ukraine, Romania and the United States confirm the urgency of the problem. Experts from Palo Alto Networks emphasize that the protection of legacy systems is a key element of security.
Source
