当前位置:首页 > 报告详情

揭秘新型OT_IoT网络武器——IOCONTROL.pdf

上传人: 可*** 编号:991842 2025-12-07 73页 2.86MB

1、Inside a New OT/IoT Cyberweapon:IOCONTROLNoam Moshe,Claroty Team82$whoamiNoam MosheVulnerability researcher and Claroty Team82 Team Lead-mostly breaking IoT clouds.Master of Pwn Pwn2Own ICSPreviously On“Irans OT Cyber Warfare”Nov 23:APT targets Unitronics PLCsCyberAv3ngers Used in water facilities w

2、orldwideFear and PanicSo We Bought a DeviceDB9RJ11Digital Forensics Key Indicators from PLCXXX.XXX.XXX.XXX1234561.PLC Name,Model&IO2.Date and time on PC during download3.PC username,file title&file download pathway4.Software version during file creation&modification5.Connection type to PLC,IP addres

3、s&port6.PC operating system&languageFindings:At least 3 separate naming conventionsIdentification of exact date and times of compromise to reference back to log dataAt least 3 separate usernames&file pathwaysAll compromised programs used old versions of VisilogicAll PCs running Windows 7 or later an

4、d in EnglishXXX.XXX.XXX.XXXNext On.“Irans OT Cyber Warfare”14 October 2023Infecting Gas Stations?SiteOmat360 Station Automation SoftwareHardcoded creds for both HTTP Server and SSH!Hardcoded creds for both HTTP Server and SSH!IOCONTROLOT/IoT MalwareBaicells,D-Link,Hikvision,Red Lion,Orpak,Phoenix Co

5、ntact,Teltonika,Unitronics.BaicellsPhoenix ContactHikvisionred lionD-LinkUnitronicsTeltonikaObtaining Sample Found sample on VT VT zero detections ARM 32-bit BE Packed IOCONTROL-Unpacking Emulation with UnicornHooked all syscallsSafe executionFound out to be modified UPX IOCONTROL-Unpacking Patched

6、UPXABC!UPX!CRC checksIOCONTROL Victim GUID identifier Encrypted modular configuration Persistency DNS over HTTPs MQTT C2 communication CommandsVictim GUID identifier Specific GUID identify each victim Used as seed for encryption Easy to binary patch instead of compileIOCONTROL Victim GUID identifier

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要内容概括如下: - **恶意软件IOCONTROL**:一种针对工业控制系统(OT)和物联网(IoT)的恶意软件,影响多种设备品牌。 - **攻击特征**: - 使用旧版本的Visilogic软件。 - 攻击者使用至少3种不同的命名约定和用户名。 - 通过DNS over HTTPS和MQTT进行通信,使用CloudFlare的DNS服务。 - 恶意软件具有持久性,通过系统启动脚本和init.d服务保持活跃。 - **恶意行为**: - 执行系统命令、端口扫描、自我删除等。 - **C2服务器**:使用MQTT协议,IP地址为159.100.6.69,域名tylarion867mino.com。 - **恶意域名**:ocferda.com,显示旧DNS记录指向同一C2服务器。 - **恶意软件模拟**:使用QEMU和CHROOT进行模拟,设置假“CloudFlare”和“C2”服务器。
物联网新威胁!" 如何防范?" IOCONTROL恶意软件分析!"
客服
商务合作
小程序
服务号
折叠