The Sality botnet is one of the oldest botnets in the cybercriminal landscape. However, despite its age, Sality has stood the test of time and continued to upgrade its capabilities to conduct more malicious activities.
In its most recent version, the Sality botnet has been discovered targeting Industrial Control Systems (ICS), which the botnet has been unable to do in its previous iteration. Based on reports, a malicious threat actor is compromising the ICS to develop a botnet through password cracking software for Programmable Logic Controllers.
The Programmable Logic Controllers (PLC) is a cracked password recovery software advertised by several entities on social media platforms and forums. In these platforms, that software endorses an ability to unblock the HMI and PLC terminals from over a dozen electronics manufacturing firms such as Fuji Electric, Mitsubishi, LG, Omron, Siemens, and much more.
As these abilities are advertised online, industrial operators and engineers are also baited into executing the malicious software that assures its targets to recover lost passwords in plain text form.
Unfortunately, a cybersecurity researcher claimed that the cracked software exploits a well-known flaw in the cybersecurity industry. This vulnerability is tracked by researchers and coded as CVE-2022-2003. This flaw allows its operators to deploy the Sality botnet on an infected device.
Sality botnet can now provide remote access to its operators.
If a user that operates an infected system executes the software, the Sality botnet will join a P2P network. Moreover, the botnet could enable its operators’ remote access to the affected system.
The main objective of Sality is to cause hindrance in computing tasks and mine cryptocurrency funds. Furthermore, the botnet employs various evasion tactics and elusively hijacks the content in the cryptocurrency wallet addresses from the clipboard. This strategy could potentially steal the user’s funds.
According to security experts, the current campaign is still operational, and admins of PLC systems from impacted vendors should be wary of the dangers of using password recovery software in the ICS landscape.
It is heavily advised that users should avoid downloading software from unknown or third-party sources since most of the offered products on these platforms have a high chance of being malicious.