Summary:
In July 2024, the FrostyGoop/BUSTLEBERM malware was publicly identified after causing significant disruptions to critical infrastructure in Ukraine. This OT-centric malware utilizes Modbus TCP communications to manipulate industrial control systems, affecting heating services for over 600 apartment buildings. The report highlights the malware’s capabilities, its operational methods, and the increasing threat posed by OT malware globally.
Keypoints:
FrostyGoop is the ninth reported OT-centric malware and the first to use Modbus TCP for attacks.
The malware disrupted heating services in Ukraine during sub-zero temperatures, affecting over 600 buildings.
Attackers may have exploited a vulnerability in a MikroTik router to deliver the malware.
FrostyGoop can operate both within a compromised network and externally if devices are internet-accessible.
New samples of FrostyGoop and related indicators were uncovered, including configuration files and libraries.
The malware is compiled in Go and uses a specific Modbus implementation that lacks JSON argument support.
FrostyGoop employs techniques to evade detection, such as checking for debugger presence in Windows.
Analysis of network traffic revealed the malware’s interaction with Modbus devices and its operational parameters.
Cybersecurity measures are essential to protect against increasing OT malware threats.
MITRE Techniques
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Initial Access (T1071): Exploits vulnerabilities in network devices to gain access to target systems.
Execution (T1203): Executes malicious payloads on compromised systems using various methods.
Persistence (T1547): Establishes persistence mechanisms to maintain access to compromised systems.
Impact (T1499): Disrupts services and operations of critical infrastructure through targeted attacks.
IoC:
[File Name] go-encrypt.exe
[File Name] task_test.json
[SHA256 Hash] 5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb
[SHA256 Hash] a63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c
[SHA256 Hash] 2fd9cb69ef30c0d00a61851b2d96350a9be68c7f1f25a31f896082cfbf39559a
[SHA256 Hash] c64b67c116044708e282d0d1a8caea2360270a7fc679befa5e28d1ca15f6714c
[SHA256 Hash] 91062ed8cc5d92a3235936fb93c1e9181b901ce6fb9d4100cc01167cdc08745f
[SHA256 Hash] a25f91b6133cb4eb3ecb3e0598bbab16b80baa40059e623e387a6b1082d6f575
[SHA256 Hash] 9cf30d82a86a9485f7bbd0786a5de207cf4902691a3efcfc966248cb1e87d5b7
[SHA256 Hash] 06919e6651820eb7f783cea8f5bc78184f3d437bc9c6cde9bfbe1e38e5c73160
Full Research: https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/