One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8615094 |
| Date de publication | 2024-11-21 00:18:57 (vue: 2024-11-21 01:08:55) |
| Titre | FrostyGoop\\'s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications |
| Texte | #### Targeted Geolocations
- Ukraine
## Snapshot
Unit 42 researchers at Palo Alto Networks, have identified the OT-centric malware FrostyGoop, also known as BUSTLEBERM, which targets Operational Technology (OT) systems. First observed in a [January 2024 attack](https://sip.security.microsoft.com/intel-explorer/articles/cf8f8199) by Russian threat actors on a municipal energy company in Ukraine, FrostyGoop disrupted power supply by sending Modbus TCP commands to ICS devices, affecting heating services for over 600 apartment buildings in Ukraine.
## Description
FrostyGoop malware, compiled in Go, uses a Modbus TCP connection to interact with ICS/OT devices and can perform various Modbus operations such as reading, writing, and writing multiple commands based on parameters in a JSON configuration file. The initial compromise may have involved a vulnerability in a MikroTik router, with the malware leveraging an open-source Modbus implementation and containing debugger evasion techniques. It logs output to a console or a JSON file and is associated with a Windows executable named go-encrypt.exe, which uses AES encryption to conceal target information. FrostyGoop also implements a debugger evasion technique by checking the BeingDebugged value in Windows\' Process Environment Block (PEB).
## Microsoft Analysis and Additional OSINT Context
The cybersecurity landscape for OT environments is increasingly dangerous, with a rise in ICS-centric malware like FrostyGoop and a growing number of OT and IoT devices exposed to the internet. Adversaries, including nation-state actors, ransomware groups, and hacktivists, are leveraging these vulnerabilities to target critical infrastructure sectors such as energy, transportation, and healthcare. The convergence of IT and OT networks introduces additional risks, as attackers exploit traditional IT entry points to access OT systems.
Russia has been aggressively targeting Ukrainian critical infrastructure with both cyberattacks and missiles. For example, in April, Ukraine\'s computer emergency response team (CERT-UA) reported that [Seashell Blizzard had targeted](https://therecord.media/frostygoop-malware-ukraine-heat) nearly 20 energy facilities in Ukraine that spring, potentially to amplify the impact of intense Russian missile and drone strikes on critical infrastructure.
Additionally, in May 2024, CISA issued a joint statement highlighting ongoing [pro-Russia hacktivist activity targeting ICS and small-scale OT systems](https://www.cisa.gov/resources-tools/resources/defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity) across North American and European critical infrastructure sectors, including Water and Wastewater Systems, Dams, Energy, and Food and Agriculture. While these attacks often rely on unsophisticated techniques that create nuisance effects, investigations reveal that such actors are capable of leveraging more advanced methods to exploit insecure and misconfigured OT environments, potentially causing physical harm.
## Detections/Hunting Queries
### Microsoft Defender Antivirus
Microsoft Defender Antivirus detects threat components as the following malware
- Trojan:Win32/FrostyGoop
## References
[FrostyGoop\'s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications](https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/) Palo Alto Unit 42 (accessed 2024-11-19)
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
#### Targeted Geolocations - Ukraine ## Snapshot Unit 42 researchers at Palo Alto Networks, have identified the OT-centric malware FrostyGoop, also known as BUSTLEBERM, which targets Operational Technology (OT) systems. First observed in a [January 2024 attack](https://sip.security.microsoft.com/intel-explorer/articles/cf8f |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2024 2024** 600 access accessed across activity actors additional additionally advanced adversaries aes affecting against aggressively agriculture all also alto american amplify analysis analysis/ antivirus any apartment april are artifacts associated attack attackers attacks based been behaviors beingdebugged blizzard block both buildings bustleberm can capable causing centric cert checking cisa closer com/frostygoop com/intel commands communications company compiled components compromise computer conceal configuration connection console containing content context convergence copyright create critical cyberattacks cybersecurity dams dangerous debugger defender description detections/hunting detects devices disrupted distribution drone effects emergency encrypt encryption energy entry environment environments european evasion example exe executable exploit explorer/articles/cf8f8199 exposed facilities file first following food frostygoop geolocations gov/resources groups growing hacktivist hacktivists had harm has have healthcare heat heating highlighting https://sip https://therecord https://unit42 https://www ics ics/ot identified impact implementation implements in: including increasingly information infrastructure initial insecure intense interact internet introduces investigations involved iot issued january joint json known landscape leveraging like logs look malware may media/frostygoop methods microsoft mikrotik misconfigured missile missiles modbus more multiple municipal named nation network networks north nuisance number observed often ongoing open operational operations osint output over palo paloaltonetworks parameters part peb perform permission physical points potentially power pro process prohibited queries ransomware reading references rely reported reproduction researchers reserved response reveal rights rise risks router russia russian scale seashell sectors security sending services site small snapshot source spring state statement strikes such supply systems target targeted targeting targets tcp team technique techniques technology that thereof these threat tools/resources/defending traditional transportation trojan:win32/frostygoop ukraine ukrainian unit unsophisticated uses value various vulnerabilities vulnerability wastewater water which windows without writing written zoom frostygoop nearly |
| Tags | Ransomware Malware Vulnerability Threat Industrial Medical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.