PLC and HMI 'password cracker' delivers malware
A threat actor is targeting industrial engineers and operators with trojanized password-cracking software for programmable logic controllers (PLCs) and human-machine interfaces (HMIs). PLCs are machines that set the rules for industrial machinery such as conveyor belts and can be programmed to follow specific logic rules. On the other hand, HMI includes all consoles that allow people to interact with devices.
According to Dragos research, it seems that the attacker is not interested in disrupting industrial processes, but in making money. The threat actors know that industrial engineers frequently search for password crackers, as PLC and HMI maintenance often results in forgotten passwords. Therefore, it makes sense to include malware into software posing as password cracker.
The password-cracking software contains a dropper that infects a machine with the Sality malware, which detects and breaks firewalls and other security tools, abuses Windows' auto-start function to spread its own copies via USBs, network shares and external drives, and can turn on devices and add into a botnet, meaning they can then be accessed by unauthorized users to help carry out tasks that require a distributed network of computers (such as cryptomining).
Learn more at Help Net Security.