Malware analysis

Which Malware are Specifically Designed to Target ISC Systems?

Pierluigi Paganini
June 20, 2017 by
Pierluigi Paganini

Introduction – ICS malware, a rarity in the threat landscape

At the end of May, security experts discovered a seven-year-old remote code execution vulnerability affecting all versions of the Samba software since 3.5.0. The flaw has been promptly fixed by the maintainers of the project. The vulnerability, tracked as CVE-2017-7494, can be exploited by an attacker to upload a shared library to a writable share and then cause the server to load and execute it.

After the discovery of the Stuxnet malware, cyber-security firms industry started looking at ICS malware with increasing interest. This specific family of malware can target industrial control system causing serious damages and put in danger human lives.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Ben Miller, Director of the Dragos Threat Operations Center, conducted an interesting research, named MIMICS, based on completely public datasets related to incidents involving ICS over the last 13+ years.

"In this project the Dragos, Inc. team looked at public data sources such as VirusTotal to identify malware and (in many cases) legitimate ICS files being uploaded to encourage a more nuanced discussion around security in the modern ICS." explains Dragos CEO, Robert M. Lee.

Miller discovered ~30k samples of infected ICS files and installers dating back to 2003. The most dangerous threats are malware that quickly spread like Sivis, Ramnit, and Virut.

Despite the large number of infections reported for ICS systems, he discovered only three publicly showcased pieces of ICS tailored malware: StuxnetHavex, and BlackEnergy2. There have been rumors around another couple of ICS tailored malware exploited in active campaigns, some of them studied by researchers at IronGate.


In 2008, the US President George Bush launched an experimental cyber-attack program against, the US, in a joint effort with Israeli cyber units, developed the Stuxnet malware to compromise control systems at the Iranian Natanz enrichment facility.

In 2011, The New York Times published a detailed article on an Israeli test on a worm specifically designed to interfere and delay the Iranian nuclear program.

The Israeli experts built a replica of the Natanz facility in their Negev Nuclear Research Center in Dimona, the same plant referred in 1986 by The Sunday Times as a strategic plant for the Israeli intelligence.

Figure 1 - Israel tests

The researchers tested Stuxnet in the plant before using it against the target in Iran. The article published by the NY Times reported an intense collaboration of researchers from the Idaho National Laboratory at Idaho Falls and experts from Siemens.

Inside the Idaho National Laboratory, US experts tested the Siemens PLC systems to discover security vulnerabilities to be exploited in the Stuxnet attack. Siemens only confirmed that its support was a routine effort to improve the resilience of its solutions against cyber-attacks.

"Over the past two years, according to intelligence and military experts familiar with its operations, Dimona has taken on a new, equally secret role — as a critical testing ground in a joint American and Israeli effort to undermine Iran's efforts to make a bomb of its own," reported The New York Times.

Image copyright Idaho National Laboratory and Siemens

"Behind Dimona's barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran's at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran's nuclear centrifuges and helped delay, though not destroy, Tehran's ability to make its first nuclear arms."

The Stuxnet targeted a grid of 984 converters, the same industrial equipment that international inspectors found out of order when visited the Natanz enrichment facility in late 2009.

"The cyber-attacks against the Cascade Protection System infects Siemens S7-417 controllers with a matching configuration. The S7-417 is a top-of-the-line industrial controller for big automation tasks. In Natanz, it is used to control the valves and pressure sensors of up to six cascades (or 984 centrifuges) that share common feed, product, and tails stations" states "Technical Analysis of What Stuxnet's Creators Tried to Achieve," written by the expert Ralph Langner.

Stuxnet was a very sophisticated malware, its authors implemented many features that allowed to evade detection, for example, its source code was digitally signed, and the malware uses a man-in-the-middle attack to fool the operators into thinking everything was normal.

"But as Mr. Langner kept peeling back the layers, he found more — what he calls the "dual warhead." One part of the program is designed to lie dormant for long periods, then speed up the machines so that the spinning rotors in the centrifuges wobble and then destroy themselves. Another part called a "man in the middle" in the computer world, sends out those false sensor signals to make the system believe everything is running smoothly. That prevents a safety system from kicking in, which would shut down the plant before it could self-destruct," wrote The New York Times.

According to the analysis conducted by Symantec, the first prototype of Stuxnet was developed in 2005, and it was designed to manipulate gas valves in a nuclear facility and cause an explosion, due to this reason Stuxnet is considered the first example of a cyber weapon in the history able to cause physical destruction of the critical infrastructures.

The first Stuxnet version detected by Symantec had the version number '0,5' within its code, the analysis of registration date for the domains used in the attack revealed Stuxnet 0.5 might have been used as early as 2005.  Another interesting information on this version of Stuxnet is that he stopped to infect computers on July 4th, 2009, few days before the version 1.001 was created.

Stuxnet 0.5 was considered by the malware researchers less aggressive than Stuxnet versions 1.x and only spread through infected Step 7 projects, it does not exploit any Microsoft vulnerabilities, unlike versions 1.x.

In the following tables is reported the evolution of the Stuxnet replication method.

Figure 2 - Evolution of the Stuxnet replication (Symantec Report)

Below is the timeline associated with Stuxnet:

Figure 3 - Stuxnet Timeline (Symantec Report)

The use of a cyber weapon against these potential targets presents a number of advantages, from the difficult attribution to the secrecy of the operations.

"Code analysis makes it clear that Stuxnet is not about sending a message or proving a concept," Mr. Langner later wrote. "It is about destroying its targets with utmost determination in military style."

Years have passed, but the attack Stuxnet is more relevant than ever. Since the systems at the Natanz plant were infected by the Stuxnet, everything changed!


In June 2015, malware researchers at F-Secure discovered a cyber espionage campaign based on the Havex malware targeting ICS/SCADA systems and vendors.

The Havex malware has been used in several targeted attacks in the previous months; threat actors used it against different industry sectors.

Havex is a general purpose Remote Access Trojan (RAT) which uses a server written in PHP.

"This adversary uses two primary implants: one dubbed HAVEX RAT by CrowdStrike and another called SYSMain RAT. These implants are closely related with several TTP overlaps and clear code reuse, particularly within secondary tools associated with the HAVEX RAT. It is possible that the HAVEX RAT is itself a newer version of the SYSMain RAT, although both tools are still in use concurrently and have been operated by the attackers since at least 2011. The investigation into this actor uncovered more than 25 versions of the HAVEX RAT, with build times up to October 2013. Each version will install itself as DLL with a name beginning "TMPprovider," such as TMPprovider037.dll for version 37," reported the company blog post.

Experts at F-Secure were the first to observe the use of the Havex malware in attacks against the Industrial Control Systems (ICS), the criminals customized the malicious code to infect software available for download from ICS/SCADA manufacturer websites in an attempt to compromise machines where the software is installed.

The attackers conducted surgical watering-hole attack attacks compromising ICS vendor websites. The SCADA vendors targeted by the Havex campaign are based in Germany, Switzerland, and Belgium, two of them are suppliers of remote management software for ICS systems, and the third one develops high-precision industrial cameras and related software.

"Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet," states F-Secure

The Havex RAT is distributed at least through the following channels:

F-Secure also detected samples of the Havex malware including a data-harvesting component, this circumstance that suggests the actors behind the campaign were also interested to collect information on the ICS/SCADA systems in the targeted infrastructure.

The security experts detected 88 different instances of Havex RAT used to infect network hosting ICS systems, F-Secure tracked 146 command and control (C&C) servers and nearly 1500 IP addresses. Most of the are located in Europe; it includes educational institutions, industrial application or machine producers, and companies specialize in structural engineering.

Once infected the targeted system, the trojanized software installer will drop and execute the malicious code which allows the attacker to install a backdoor to gain complete control of the PC.
Experts at F-Secure have uncovered an industrial espionage campaign based on trojanized ICS/SCADA software installers; the attackers used the HAVEX malware to target control systems in critical infrastructure. Experts noticed that threat actors behind the attacks did not manage the C&C's professionally, revealing a lack of experience in operations.

"The additional payload used to gather details about ICS/SCADA hardware connected to infected devices shows the attackers have a direct interest in controlling such environments. This is a pattern that is not commonly observed today."

Probably many other similar attacks will be soon uncovered; critical infrastructure is a privileged target for cyber criminals and state-sponsored hackers, it is time to consider a new approach to their cyber security.

A few weeks after security experts at F-Secure and Symantec announced a surge of malicious campaigns based on "Havex" malware against critical infrastructure, researchers at FireEye detected a new variant of the Havex RAT that implements a function to scan OPC (Object linking and embedding for Process Control) systems.

The last Havex variant could collect system information and data directly from targeted machines through the OPC standard. In industrial scenarios, ICS or SCADA systems includes OPC client component that exchanges data with OPC server, which communicates with a PLC (Programmable Logic Controller) to control industrial hardware.

"The OPC is a software interface standard that allows Windows programs to communicate with industrial hardware devices," states the OPC datahub

The bad actors behind the new Havex campaign, implemented an OPC scan feature to gather any data stored on the machines in the targeted networks and details about the connected devices. The information collected are then sent back to the command-and-control server.

Figure 4 - Havex RAT that implements a function to scan OPC (Object linking and embedding for Process Control) systems.

The malware actively searches for servers ordinarily used for controlling SCADA (Supervisory Control and Data Acquisition) systems in critical infrastructure.

"Threat actors have leveraged Havex in attacks across the energy sector for over a year, but the full extent of industries and ICS systems affected by Havex is unknown. We decided to examine the OPC scanning component of Havex more closely, to better understand what happens when it is executed and the possible implications," says a  blog post by Kyle Wilhoit, threat intelligence researchers at FireEye.

Researchers at FireEye have prepared a test lab to analyze the Havex malware while target a typical OPC server, they noticed that once infected the targeted network, the RAT downloader invokes the runDll export function and then starts scanning of OPC servers.

"The scanning process starts when the Havex downloader calls the runDll export function.  The OPC scanner module identifies potential OPC servers by using the Windows Networking (WNet) functions.  Through recursive calls to WNetOpenEnum and WNetEnumResources, the scanner builds a list of all servers that are globally accessible through Windows networking.  The list of servers is then checked to determine if any of them host an interface to the Component Object Models (COM) listed below: This is the first "in the wild" sample using OPC scanning. It is possible that these attackers could have used this malware as a testing ground for future utilization, however," added the FireEye expert in the post.

The features implemented in this variant of the Havex trojan make it a privileged tool for intelligence gathering, the variant analyzed by FireEye did not include a component for the sabotage of ICS.


On December 23, the Ivano-Frankivsk region in Ukraine suffered a major power outage, according to cyber security experts and the Ukrainian Government the attackers used a destructive variant of the popular BlackEnergy malware.

BlackEnergy is a popular DDoS Trojan; it made the headlines in 2008 when it was reported to have been used during the  Russia-Georgia conflict. The malicious code was used to launch cyber-attacks against the infrastructure of Georgia, it was authored by a Russian hacker and originally used also for bank frauds and spam distribution.

Other variants were used in targeted attacks on government entities and private companies across a range of industries.

Researchers noticed that same states hit by the BlackEnergy malware were already targeted by another cyber espionage campaign tracked by F-Secure as CosmicDuke which was associated with Russian nation-state hackers.

The BlackEnergy that targeted the ICS systems In Ukraine includes a new component dubbed KillDisk, which is tasked with destroying some 4000 different file types and rendering machines unbootable.

The KillDisk component was used to compromise the energy companies in Ukraine; it was slightly different from other versions used in the wild.

It accepts a command line argument, to set a specific time delay when the destructive payload should activate.

The malware also deletes Windows EventLogs: Application, Security, Setup, System, and it is less focused on deleting documents. Only 35 file extensions are targeted.

The strain of malware detected by ESET in 2015 also uses a previously unknown SSH backdoor to access the infected systems, in addition to BlackEnergy backdoor.

"ESET has recently discovered that the BlackEnergy Trojan was recently used as a backdoor to deliver a destructive KillDisk component in attacks against Ukrainian news media companies and against the electrical power industry," states the blog post published by ESET.

The experts at ESET highlighted the presence of Build IS numbers in the BlackEnergy code; these data could provide information useful for the attribution of the malicious code. In the specific case, the build identity numbers suggest the possible involvement of Russian hackers, but ESET avoided confirming it.

"Apart from a list of C&C servers, the BlackEnergy config contains a value called build_id. This value is a unique text string used to identify individual infections or infection attempts by the BlackEnergy malware operators. The combinations of letters and numbers used can sometimes reveal information about the campaign and targets," states the post. "We can speculate that some of them have a special meaning. For example, 2015telsmi could contain the Russian acronym SMI – Sredstva Massovoj Informacii, 2015en could mean Energy, and there's also the obvious "Kiev.""

According to the Ukrainian media TSN, the power outage was caused by a destructive malware that disconnected electrical substations. The experts speculate that hackers run a spear phishing campaign across the Ukrainian power authorities to spread the BlackEnergy malware leveraging on Microsoft Office documents.

Further investigations revealed that the threat attackers took advantage of the power of BlackEnergy, in an article published by SANS it is explained that this allowed the attackers to get a foothold on power-company systems, where they were able to open circuit breakers, which cut the power.

Unknown attackers used a wiper utility called KillDisk and launched a denial-of-service on phone lines to stop company personnel from receiving customer reports of outages.

Below the cyber-attack milestones reported by the SANS:

  • The adversary initiated an intrusion into production SCADA systems
  • Infected workstations and servers
  • Acted to "blind" the dispatchers
  • Acted to damage the SCADA system hosts (servers and workstations)
  • Action would have delayed restoration and introduce risk, especially if the SCADA system was essential to coordinate actions
  • Action can also make forensics more difficult
  • Flooded the call centers to deny customers calling to report power out

It is important to explain that there is no evidence that the KillDisk was the unique cause of the power outage affecting 80,000 customers.

"There have been two prominent theories in the community and speculation to the media that either the 'KillDisk' component was just inside the network and unrelated to the power outage (a reliability issue where malware just happened to be there) or that the 'KillDisk' component was directly responsible for the outage. It is our assessment that neither of these is correct. Malware likely enabled the attack, there was an intentional attack, but the 'KillDisk' component itself did not cause the outage."…" The malware campaign reported, tied to BlackEnergy and the Sandworm team by others, has solid links to this incident, but it cannot be assumed that files such as the Excel spreadsheet and other malware samples recovered from other portions of that campaign were at all involved in this incident. It is possible but far too early in the technical analysis to state that. "

The SANS report leaves almost no space left for doubts, BlackEnergy was indeed the key ingredient of this attack:

"We assess currently that the malware allowed the attackers to gain a foothold at the targeted utilities, open up command and control, and facilitate the planning of an attack by providing access to the network and necessary information. The malware also appears to have been used to wipe files in an attempt to deny the use of the SCADA system for the purposes of restoration to amplify the effects of the attack and possibly to delay restoration."

In February 2016, malware experts at Trend Micro discovered strains of BlackEnergy malware involved in the targeted attacks against Ukrainian Mining and Railway Systems.

In the same period, experts at firm ESET-provided details of the new campaign based on the BlackEnergy Trojan that targeted Ukrainian news media and electric industry in 2015.


A few days ago, malware researchers at antivirus firm ESET had discovered a new strain of malware, dubbed Industroyer, that appears to have been designed to target power grids.

The experts published a detailed analysis of the malware; they speculated the malicious code had been involved in the December 2016 attack on an electrical substation in Ukraine.

"Win32/Industroyer is a sophisticated piece of malware designed to disrupt the working processes of industrial control systems (ICS), specifically industrial control systems used in electrical substations. Those behind the Win32/Industroyer malware have a deep knowledge and understanding of industrial control systems and, specifically, the industrial protocols used in electric power systems," states the report published by ESET.

Experts shared some data with ICS security firm Dragos that tracked the malware as CRASHOVERRIDE and the threat actor responsible for the campaign as ELECTRUM.

Industroyer is the fourth malware specifically designed to target ICS systems; previous ones are StuxnetBlackEnergy, and Havex.

Industroyer is a sophisticated modular malware that includes several components such as a backdoor, a launcher, a data wiper, at least four payloads, and many other tools. The experts focused their analysis on the payloads (IEC 60870-5-101 (aka IEC 101), IEC 60870-5-104 (aka IEC 104), IEC 61850, OLE for Process Control Data Access (OPC DA)) the core components of the malware in the attacks that allow controlling electric circuit breakers.

The Industroyer backdoor allows attackers to execute various commands on the targeted system, the C&C server is hidden in the Tor network, and it can be programmed to be active only at specified times, making hard its detection.

The backdoor installs the launcher component, which initiates the wiper and the payloads, it also drops a second backdoor disguised as a trojanized version of the Windows Notepad application.

The wiper component is used in the final stage of the attack to hide tracks and make difficult to restore the targeted systems.

The payloads allow the malware to control circuit breakers; it implements industrial communication protocols. Researchers at ESET believe the malware's developers have a deep knowledge of power grid operations and industrial network communications.

Figure 5 - Industroyer Architecture

"In addition to all that, the malware authors also wrote a tool that implements a denial-of-service (DoS) attack against a particular family of protection relays, specifically the Siemens SIPROTEC range" continues ESET. "The capabilities of this malware are significant. When compared to the toolset used by threat actors in the 2015 attacks against the Ukrainian power grid which culminated in a blackout on December 23, 2015 (BlackEnergy, KillDisk, and other components, including legitimate remote access software) the gang behind Industroyer are more advanced, since they went to great lengths to create malware capable of directly controlling switches and circuit breakers"

Both ESET and Dragos collected evidence that suggests Industroyer/CRASHOVERRIDE was involved in the 2016 power outages in Kiev region, which was attributed to Russia state-sponsored hackers.

Researchers at Dragos believes the ELECTRUM APT group is directly linked to the Sandworm APT group, ESET highlighted that while there are no code similarities between the malware used in the 2015 and 2016 attacks in Ukraine, some components are similar in concept.

"The CRASHOVERRIDE malware impacted a single transmission level substation in Ukraine on December 17th, 2016. Many elements of the attack appear to have been more of a proof of concept than what was fully capable in the malware. The most important thing to understand though from the evolution of tradecraft is the codification and scalability in the malware towards what has been learned through past attacks," states the report published by Dragos.

Researchers at Dragos published the description of theoretical attacks; hackers used the Industroyer malware to open closed breakers in an infinite loop, causing the substation to de-energize.

"The command then begins an infinite loop and continues to set addresses to this value effectively opening closed breakers. If a system operator tries to issue a close command on their HMI the sequence loop will continue to re-open the breaker. This loop maintaining open breakers will effectively de-energize the substation line(s) preventing system operators from managing the breakers and re-energize the line(s)." states the Dragos report.

The operators of the targeted facility cannot close the breakers from the HMI, to restore the situation, they need to interrupt communications with the substation and manually fix the problem.

In another possible attack scenario, hackers initiate an infinite loop where breakers continually open and close, which can trigger protections and cause the substation to shut down.


Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.