Summary:
IOCONTROL is a custom-built IoT/OT malware linked to Iranian state-sponsored threat actors, specifically the CyberAv3ngers group. It targets critical infrastructure in Israel and the United States, including routers, IP cameras, firewalls, PLCs, HMIs, and fuel management systems such as Orpak and Gasboy devices. Designed to exploit embedded Linux-based systems, the malware adapts to various platforms through its modular framework and has impacted devices from vendors like Baicells, D-Link, Hikvision, and Phoenix Contact.

The malware establishes persistence by installing startup scripts and communicates with its command-and-control (C2) servers using the MQTT protocol over encrypted DNS over HTTPS, making it highly evasive. Its supported commands include system information reporting, arbitrary OS command execution, port scanning, and self-deletion. IOCONTROL encrypts its configuration with AES-256-CBC, using a GUID-based key generation method for added security. Additionally, it employs stealth mechanisms such as modified UPX packing and disguised network traffic to avoid detection.

Security Officer Comments:
The malware has been used to compromise over 200 gas stations and water treatment facilities, disrupting critical services and emphasizing its role in broader geopolitical conflicts between Israel and Iran. Public claims of these attacks have been shared on Telegram, with the U.S. Treasury imposing sanctions on officials linked to the CyberAv3ngers. Campaigns involving IOCONTROL have spanned from late 2023 to mid-2024, with renewed activity observed in the summer of 2024.

Suggested Corrections:
IOCs:
https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol

Link(s):
https://www.bleepingcomputer.com/ne...ware-used-in-critical-infrastructure-attacks/

https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol