FrostyGoop, an operational technology (OT) malware, disrupted critical infrastructure in Ukraine in early 2024, affecting heating systems for over 600 apartment buildings. It is the first OT-centric malware to use Modbus TCP communications for such an impact. The malware can operate both within compromised networks and externally if devices are internet-accessible. It sends Modbus commands to read or modify data on industrial control systems. New samples and indicators were uncovered, including configuration files and libraries. The malware is compiled using Go and leverages specific open-source libraries. It implements debugger evasion techniques and can encrypt configuration files. Analysis revealed over 1 million Modbus TCP devices exposed to the internet, highlighting the increasing threat to critical infrastructure. Author: AlienVault
Related Tags:
industrial control systems
ot-malware
BUSTLEBERM
FrostyGoop
T1588.002
T1588.001
Critical Infrastructure
T1132
Ukraine
Associated Indicators:
8891E7562EB4DB253A8582376083CA99B19457680F9D36A5BA4108790740785E
7BCFCC90D0BD6C85B5B1CC9F287E161020571A0418AFB50F2DD67685E9D3A4FC
B351E3F475681AB2E8DB5B2BBD2BEAF26E5B4FD082CA08EBA6FFFBC76370113C
C43E506C9B964DDDF6FD784BF0CC78B4A2396F47257361DC22E1070E249EAE16
716778BAB5FB2C439A51362BE5941A50D587714D58A6FAA39EEFA96AA79C1561
BDA2503FC02B11258399CFABD0778A997654B5BD7D30E5E3F5BEF54A74B914E1
01082CD4733E5F3E2C3F642FA6C0AFB5A9489D39FF26A35549263FC0E02EBAD3
D23491DD351F43F0EFAD5CEE2BE80C4049349A7695C0E7DE1DE632C791356183
4DCE8B3BEBA71B8B44B6576FF2497ED68C6FAFEBD046822F0D60F8758238E900