Industrial Control Systems (ICS) are getting infected by threat actors with password "cracking" tools for compromising programmable logic controllers(PLC) in order to develop a botnet.

The password recovery tools, which have been promoted on a number of social media channels, claim to be able to unlock PLC and HMI (human-machine interface) terminals made by Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Allen Bradley, Weintek, ABB, and Panasonic.

Researchers from the industrial cybersecurity firm Dragos reviewed an event exploiting DirectLogic PLCs from Automation Direct and determined that the "cracking" software exploited a known vulnerability in the device to extract the password.

However, Sality, a piece of malware that generates a peer-to-peer botnet for various tasks that benefit from distributed computer power, was also secretly deployed by the tool (e.g., password cracking, cryptocurrency mining).

Researchers at Dragos determined that the malicious program's exploit was limited to serial-only interactions. However, scientists also discovered a technique to duplicate it across Ethernet, heightening its severity.

After reviewing the product including Sality, Dragos notified Automation Direct of the vulnerability, and the vendor subsequently provided the necessary litigation.

But because the threat actor's campaign is still active, administrators of PLC from other vendors should be mindful of the dangers of utilizing password-cracking tools in ICS setups.

Regardless of the justification for their use, operational technology engineers should avoid password cracking tools, particularly if their origin is unknown.

If you need to recover a password (either because you lost it or because the person who had it is no longer your colleague), Dragos suggests contacting them or the device manufacturer for instructions and support.

Sality is an ancient piece of malware that continues to evolve with new capabilities that enable it to terminate processes, open connections to distant sites, download more payloads, and steal data from the host.

Additionally, the malware can inject itself into ongoing processes and exploit the Windows autorun feature to replicate itself onto network shares, external disks, and removable storage devices that could transport it to other systems.

The sample examined by Dragos appears to be focused on cryptocurrency theft. According to the researchers, the malware introduced a payload that hijacked cryptocurrency transactions using the contents of the clipboard.

However, an expert attacker may use this entry point to interrupt operations and do more severe damage.

In this instance, the victim became suspicious after executing the malicious software, as the CPU utilization rate increased to 100 percent and Windows Defender sent repeated threat alerts.