{"id":452972,"date":"2022-07-18T13:00:47","date_gmt":"2022-07-18T11:00:47","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=452972"},"modified":"2022-07-18T13:03:41","modified_gmt":"2022-07-18T11:03:41","slug":"password-cracker-software-creates-crypto-stealing-botnets","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/452972-password-cracker-software-creates-crypto-stealing-botnets.html","title":{"rendered":"Password cracking software creates crypto-stealing botnets"},"content":{"rendered":"<p>Dragos security researchers have <strong><a href=\"https:\/\/www.dragos.com\/blog\/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators\/\" target=\"_blank\" rel=\"noopener\">discovered<\/a><\/strong> a campaign to infect industrial control systems with Sality malware via a trojan embedded in password cracking software.<\/p>\n<p>The password cracker is advertised on social media and promises to unlock programmable logic controllers and human-machine interface terminals.<\/p>\n<p>However, the researchers found that the password recovery software infects the host machine with Sality malware.<\/p>\n<p>\u201cSality is a peer-to-peer botnet for distributed computing tasks such as password cracking and cryptocurrency mining,\u201d Dragos said.<\/p>\n<p>\u201cThis specific sample of Sality also drops clipboard hijacking malware that, every half second, checks the clipboard for a cryptocurrency address format.\u201d<\/p>\n<p>It then replaces any address with one owned by the threat actor to siphon off cryptocurrency.<\/p>\n<p>The researchers said Sality could manipulate the Windows Autorun function to copy itself onto shared network drives, external drives, and removable media to infect other systems.<\/p>\n<p>It can also terminate processes, open connections to remote sites to download additional payloads, and steal data.<\/p>\n<p>Dragos said Sality remains undetected by terminating any security services prematurely.<\/p>\n<p>\u201cTo remain undetected, Sality drops a kernel driver and starts a service to identify any potential security products such as antivirus systems or firewalls and terminates them.\u201d<\/p>\n<p>\u201c[We] were able to successfully recreate the exploit over Ethernet, increasing the severity of this vulnerability significantly,\u201d Dragos said.<\/p>\n<p>The cybersecurity company identified the malware inside a password cracker for Automation Direct\u2019s DirectLogic PLCs.<\/p>\n<p>The vulnerability was assigned CVE-2022-2003 and has since been patched.<\/p>\n<p>However, Dragos said that other vendors besides Automation Direct are also targeted.<\/p>\n<p>These include ABB, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Weintek, and Panasonic.<\/p>\n<p>Dragos has advised network engineers to contact their respective vendors for guidance if they need to recover a lost password and to avoid relying on password recovery software from unknown sources.<\/p>\n<hr \/>\n<h3 class=\"my-4\">Now read: <a href=\"https:\/\/mybroadband.co.za\/news\/security\/452630-eight-malware-infested-android-apps-downloaded-over-2-75-million-times.html\">Eight malware-infested Android apps downloaded over 2.75 million times<\/a><\/h3>\n","protected":false},"excerpt":{"rendered":"<p>Security researchers have discovered a widespread campaign that hides malware in password cracker software to steal cryptocurrency.<\/p>\n","protected":false},"author":341094,"featured_media":452974,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[2822,79902,79908,801,79906,79904,10484],"class_list":["post-452972","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-botnet","tag-dragos","tag-human-machine-interface-hmi","tag-malware","tag-programmable-logic-controllers-plcs","tag-sality","tag-trojan"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/452972"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341094"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=452972"}],"version-history":[{"count":0,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/452972\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/452974"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=452972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=452972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=452972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}