Password cracking software creates crypto-stealing botnets

Dragos security researchers have discovered a campaign to infect industrial control systems with Sality malware via a trojan embedded in password cracking software.

The password cracker is advertised on social media and promises to unlock programmable logic controllers and human-machine interface terminals.

However, the researchers found that the password recovery software infects the host machine with Sality malware.

“Sality is a peer-to-peer botnet for distributed computing tasks such as password cracking and cryptocurrency mining,” Dragos said.

“This specific sample of Sality also drops clipboard hijacking malware that, every half second, checks the clipboard for a cryptocurrency address format.”

It then replaces any address with one owned by the threat actor to siphon off cryptocurrency.

The researchers said Sality could manipulate the Windows Autorun function to copy itself onto shared network drives, external drives, and removable media to infect other systems.

It can also terminate processes, open connections to remote sites to download additional payloads, and steal data.

Dragos said Sality remains undetected by terminating any security services prematurely.

“To remain undetected, Sality drops a kernel driver and starts a service to identify any potential security products such as antivirus systems or firewalls and terminates them.”

“[We] were able to successfully recreate the exploit over Ethernet, increasing the severity of this vulnerability significantly,” Dragos said.

The cybersecurity company identified the malware inside a password cracker for Automation Direct’s DirectLogic PLCs.

The vulnerability was assigned CVE-2022-2003 and has since been patched.

However, Dragos said that other vendors besides Automation Direct are also targeted.

These include ABB, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Weintek, and Panasonic.

Dragos has advised network engineers to contact their respective vendors for guidance if they need to recover a lost password and to avoid relying on password recovery software from unknown sources.

Now read: Eight malware-infested Android apps downloaded over 2.75 million times

Latest news

Partner Content

Show comments


Share this article
Password cracking software creates crypto-stealing botnets