Industrial engineers and operators are the target of a new campaign that leverages password cracking software to seize control of Programmable Logic Controllers (PLCs) and co-opt the machines to a botnet. This software can retrieve a password by infecting the machine with Sality malware, which turns the host into a peer in Sality’s peer-to-peer botnet. The password retrieval exploit is designed to recover the credential associated with Automation Direct’s DirectLOGIC06 PLC. The vulnerability is tracked as CVE-2022-2003 and could lead to the transmission of sensitive data and unauthorized changes. The exploit is very effective because it can terminate security software and remain undetected while performing the tasks identified above. It also functions as a crypto-clipper payload by substituting the original wallet address with the attacker’s wallet address during a transaction.
Automation Direct is not the only vendor impacted as the tool claims to affect several PLCs, HMIs, and project files. Project files span across 14 different corporations which include LG, Mitsubishi Electric, and Delta Automation. This is not the first time trojanized software has targeted operational technology networks. In October 2021, Mandiant identified that Sality, Virut, and Ramnit malware are compromising portable executable binaries.