Banking Trojans Pose as SCADA Software to Infect Manufacturers

Malicious software thought to be specific to the banking industry is infecting manufacturing facilities by posing as industrial control software, says a Trend Micro researcher.
Malicious software thought to be specific to the banking industry is infecting manufacturing facilities by posing as industrial control software, says a Trend Micro researcher.

Dark Reading’s Kelly Higgins has a report about a discovery by a security researcher who has identified a worrying new trend: banking malware that is posing as legitimate ICS software updates and files in order to compromise systems that run manufacturing plants and other facilities.

Higgins writes about research by Kyle Wilhoit, senior threat researcher with Trend Micro. Wilhoit claims to have found 13 different crimeware variants disguised as SCADA and industrial control system (ICS) software. The malware posed as human machine interface (HMI) products, including Siemens’ Simatic WinCC, GE’s Cimplicity, and as device drivers by Advantech.

 

[Read more Security Ledger coverage of threats to SCADA and industrial control systems here.]The attacks appear to be coming from traditional cybercriminals rather than nation-state attackers. The motive, Wilhoit theorizes, is to make money, possibly by harvesting banking credentials or other financial information.

Malicious software that can operate in industrial environments and critical infrastructure settings is an increasing concern. In recent months, the Department of Homeland Security has warned critical infrastructure owners about the danger posed by sophisticated malware.

According to a confidential memo obtained by CNN, the FBI and DHS are now traveling the country to warn utilities and other critical infrastructure owners about targeted attacks on industrial control systems. Some of those attacks are exploiting previously unknown (or “zero day”)  vulnerabilities in ICS systems, CNN reported.

In October, the U.S. Government’s Industrial Control System CERT (ICS-CERT) published details of the BlackEnergy campaign which began more than three years ago and has targeted industrial systems that were directly connected to the public Internet.

Read more via Banking Trojans Disguised As ICS/SCADA Software Infecting Plants.