Dragos: New ICS malware FrostyGoop abuses Modbus

Cybersecurity vendor Dragos on Tuesday unveiled FrostyGoop, an industrial control system-specific malware that caN disrupting critical infrastructure targets across multiple sectors.

Dragos, which discovered the malware in April, said FrostyGoop was the ninth malware USING industrial control systems (ICS) it has tracked. More importantly, FrostyGoop is the first that achieves impact on operational technology (OT) via Modbus, a standard ICS client/server communication protocol used in industrial technology. Dragos researchers said in a research blog post that the ICS malware can affect legacy and modern Window systems as well as that its "ability to communicate with ICS devices via Modbus TCP threatens critical infrastructure across multiple sectors."

The research provided one example regarding an attack inflicted on a Ukrainian energy company.

"The Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine (Служба безпеки України), shared details with Dragos of a cyber-attack that took place in January 2024. During the late evening on 22 January 2024, through 23 January, adversaries conducted a disruption attack against a municipal district energy company in Lviv, Ukraine," the research blog read. "At the time of the attack, this facility fed over 600 apartment buildings in the Lviv metropolitan area, supplying customers with central heating. Remediation of the incident took almost two days, during which time the civilian population had to endure sub-zero temperatures."

Although the attack seemingly exploited an undetermined vulnerability targeting MikroTik routers, Dragos assessed that FrostyGoop was also utilized in the attack.

While Dragos did not attribute FrostyGoop to a specific threat group or nation, Ukraine was invaded by Russia in early 2022 and has been engaged in an ongoing military conflict with the country since that time. As part of the conflict, Russian nation-state threat groups have launched several cyberattacks against Ukraine's critical infrastructure.

The FrostyGoop malware uses the Modbus protocol to read and write to a target ICS device, granting attackers the ability to disrupt infected installations. FrostyGoop "accepts optional command line execution arguments, uses separate configuration files to specify target IP addresses and Modbus commands, and logs output to a console and/or a JSON file." Researchers said antivirus vendors do not detect FrostyGoop as malware.

"At the time of discovery, Dragos assessed with low confidence that the FrostyGoop ICS malware discovered was used for testing purposes. However, this assessment changed when an attack was confirmed," the report read. "Dragos discovered an associated configuration file containing multiple Modbus commands to read data from a target ICS device and an IP address belonging to an ENCO control device. Dragos assessed with moderate confidence that FrostyGoop can impact other devices communicating over Modbus TCP; the malware's functionality is not specific to ENCO control devices."

According to Dragos' research, the ICS malware does not exploit a specific vulnerability in Modbus and merely abuses the protocol for malicious purposes. Further technical details are available in the blog post.

In a press briefing last week, Mark Graham, principal adversary hunter technical director at Dragos, said there has been a "huge uptick" in adversary-developed OT exploits in the last five years. He added that "With that movement to working from home, we see a lot more OT environments directly accessible via the open internet."

Phil Tonkin, Dragos field CTO, said during the call that one of the largest challenges surrounding malware like FroostyGoop is how prolific Modbus is in OT.

"When we look at this capability, it's not really surprising that [Modbus is] finally being weaponized. The idea of using the Modbus protocol, its simplicity and its pervasiveness across multiple industries has been well known for some time," Tonkin said. "But one of the big challenges that industry has right now is that lack of visibility. Many industries use this protocol still just due to its robustness. It doesn't matter how many different vendors you work with. The fact that it is so common means it's highly likely to be compatible from one system to the next, regardless of how many different vendors you operate your network with."

Dragos said its OT Watch platform has been updated to detect FrostyGoop-related indicators of compromise. The company also recommended that organizations monitor their ICS and OT systems for unauthorized access or unusual Modbus traffic patterns over Port 502.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.