Announcement

Collapse
No announcement yet.

TA17-163A: CrashOverride Malware

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • TA17-163A: CrashOverride Malware

    Original release date: June 12, 2017 | Last revised: July 07, 2017
    Systems Affected

    Industrial Control Systems
    Overview

    The National Cybersecurity and Communications Integration Center (NCCIC) is aware of public reports from ESET and Dragos outlining a new, highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine. As reported by ESET and Dragos, the CrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors. NCCIC is working with its partners to validate the ESET and Dragos analysis, and develop a better understanding of the risk this new malware poses to U.S. critical infrastructure.
    Although this activity is still under investigation, NCCIC is sharing this report to provide organizations with detection and mitigation recommendations to help prevent future compromises within their critical infrastructure networks. NCCIC continues to work with interagency and international partners on this activity and will provide updates as information becomes available.
    For a downloadable copy of indicators of compromise (IOCs), see:

    To report activity related to this Alert, please contact NCCIC at NCCICCustomerService@hq.dhs.gov or 1-888-282-0870.
    Risk Evaluation

    NCCIC Cyber Incident Scoring System (NCISS) Rating Priority Level (Color)
    Yellow (Medium)
    A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
    Details

    There is no evidence to suggest this malware has affected U.S. critical infrastructure. However, the tactics, techniques, and procedures (TTPs) described as part of the CrashOverride malware could be modified to target U.S. critical information networks and systems.
    Description

    Technical Analysis

    CrashOverride malware represents a scalable, capable platform. The modules and capabilities publically reported appear to focus on organizations using ICS protocols IEC101, IEC104, and IEC61850, which are more commonly used outside the United States in electric power control systems. The platform fundamentally abuses the functionality of a targeted ICS system’s legitimate control system to achieve its intended effect. While the known capabilities do not appear to be U.S.-focused, it is important to recognize that the general TTPs used in CrashOverride could be leveraged with modified technical implementations to affect U.S.-based critical infrastructure. With further modification, CrashOverride or similar malware could have implications beyond electric power so all critical infrastructure organizations should be evaluating their systems to susceptibilities in the TTPs outlined. The malware has several reported capabilities:
    1. Issues valid commands directly to remote terminal units (RTUs) over ICS protocols. As reported by Dragos, one such command sequence toggles circuit breakers in a rapid open-close-open-close pattern. This could create conditions where individual utilities may island from infected parties, potentially resulting in a degradation of grid reliability.
    2. Denies service to local serial COM ports on windows devices, therefore preventing legitimate communications with field equipment over serial from the affected device.
    3. Scans and maps ICS environment using a variety of protocols, including Open Platform Communications (OPC). This significantly improves the payload’s probability of success.
    4. Could exploit Siemens relay denial-of-service (DoS) vulnerability, leading to a shutdown of the relay. In this instance, the relay would need to be manually reset to restore functionality.
    5. Includes a wiper module in the platform that renders windows systems inert, requiring a rebuild or backup restoration.

    Detection

    As CrashOverride is a second stage malware capability and has the ability to operate independent of initial C2, traditional methods of detection may not be sufficient to detect infections prior to the malware executing. As a result, organizations are encouraged to implement behavioral analysis techniques to attempt to identify pre-courser activity to CrashOverride. As additional information becomes available on stage one infection vectors and TTPs, this alert will be updated.
    NCCIC is providing a compilation of IOCs (see links above) from a variety of sources to aid in the detection of this malware. The sources provided do not constitute an exhaustive list and the U.S. Government does not endorse or support any particular product or vendor’s information referenced in this report. However, NCCIC has included this data to ensure wide distribution of the most comprehensive information available and will provide updates as warranted.
    Signatures

    import “pe”
    import “hash”
    rule dragos_crashoverride_exporting_dlls
    {
    meta:
    description = “CRASHOVERRIDE v1 Suspicious Export”
    author = “Dragos Inc”
    condition:
    pe.exports(“Crash”) & pe.characteristics
    }
    rule dragos_crashoverride_suspcious
    {
    meta:
    description = “CRASHOVERRIDE v1 Wiper”
    author = “Dragos Inc”
    strings:
    $s0 = “SYS_BASCON.COM” fullword nocase wide
    $s1 = “.pcmp” fullword nocase wide
    $s2 = “.pcmi” fullword nocase wide
    $s3 = “.pcmt” fullword nocase wide
    $s4 = “.cin” fullword nocase wide
    condition:
    pe.exports(“Crash”) and any of ($s*)
    }
    rule dragos_crashoverride_name_search {
    meta:
    description = “CRASHOVERRIDE v1 Suspicious Strings and Export”
    author = “Dragos Inc”
    strings:
    $s0 = “101.dll” fullword nocase wide
    $s1 = “Crash101.dll” fullword nocase wide
    $s2 = “104.dll” fullword nocase wide
    $s3 = “Crash104.dll” fullword nocase wide
    $s4 = “61850.dll” fullword nocase wide
    $s5 = “Crash61850.dll” fullword nocase wide
    $s6 = “OPCClientDemo.dll” fullword nocase wide
    $s7 = “OPC” fullword nocase wide
    $s8 = “CrashOPCClientDemo.dll” fullword nocase wide
    $s9 = “D2MultiCommService.exe” fullword nocase wide
    $s10 = “CrashD2MultiCommService.exe” fullword nocase wide
    $s11 = “61850.exe” fullword nocase wide
    $s12 = “OPC.exe” fullword nocase wide
    $s13 = “haslo.exe” fullword nocase wide
    $s14 = “haslo.dat” fullword nocase wide
    condition:
    any of ($s*) and pe.exports(“Crash”)
    }
    rule dragos_crashoverride_hashes {
    meta:
    description = “CRASHOVERRIDE Malware Hashes”
    author = “Dragos Inc”
    condition:
    filesize < 1MB and
    hash.sha1(0, filesize) == “f6c21f8189ced6ae150f9ef2e82a3a57843b587d” or
    hash.sha1(0, filesize) == “cccce62996d578b984984426a024d9b250237533” or
    hash.sha1(0, filesize) == “8e39eca1e48240c01ee570631ae8f0c9a9637187” or
    hash.sha1(0, filesize) == “2cb8230281b86fa944d3043ae906016c8b5984d9” or
    hash.sha1(0, filesize) == “79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a” or
    hash.sha1(0, filesize) == “94488f214b165512d2fc0438a581f5c9e3bd4d4c” or
    hash.sha1(0, filesize) == “5a5fafbc3fec8d36fd57b075ebf34119ba3bff04” or
    hash.sha1(0, filesize) == “b92149f046f00bb69de329b8457d32c24726ee00” or
    hash.sha1(0, filesize) == “b335163e6eb854df5e08e85026b2c3518891eda8”
    }
    rule dragos_crashoverride_moduleStrings {
    meta:
    description = “IEC-104 Interaction Module Program Strings”
    author = “Dragos Inc”
    strings:
    $s1 = “IEC-104 client: ip=%s; port=%s; ASDU=%u” nocase wide ascii
    $s2 = “ MSTR ->> SLV” nocase wide ascii
    $s3 = “ MSTR
Working...
X