“Sality”: The Malware Distributed to Industrial Systems via Password Recovery Tools

[vc_row pix_particles_check=”” nav_skin=”light” consent_include=”include”][vc_column][vc_column_text]Dragos security researchers identified a malware distribution campaign to industrial control systems (ICS) through password recovery tools developed for programmable logic controllers (PLC). Password recovery tools that are advertised on various social media platforms promise to recover passwords of systems used in industrial control environments such as Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Allen Bradley, Weintek, PLC, ABB, Panasonic, and HMI.[/vc_column_text][vc_empty_space height=”15px”][vc_single_image image=”13148″ img_size=”full” add_caption=”yes” alignment=”center”][vc_column_text]These password recovery tools use known security vulnerabilities in devices to reveal system passwords. However, these tools inject a trojan software called Sality into vulnerable systems in the background. Sality has advanced features such as terminating trojan-injected system processes, connecting to remote servers, downloading additional payloads, or leaking data from the host.

Also, thanks to the Sality trojan’s ability to communicate over a peer-to-peer (P2P) network, infected systems can become part of a botnet network controlled by threat actors. The Sality sample analyzed by Dragos researchers has been observed to be infected to carry out activities focused on cryptocurrency hijacking from vulnerable systems.[/vc_column_text][vc_empty_space height=”15px”][vc_single_image image=”13149″ img_size=”full” add_caption=”yes” alignment=”center”][vc_column_text]In this context, it is important to apply the following security measures in order not to be the target of similar malware campaigns targeting critical/sensitive systems;