Full Report
Forescout identified a new type of malware capable of terminating engineering processes, used to target Siemens engineering workstations
Analysis Summary
# Tool/Technique: Ramnit Worm
## Overview
Ramnit is a modular malware originally emerged as a banking trojan designed to steal credentials. It has evolved to download plugins from a Command and Control (C2) server and is capable of propagating through infected physical devices (like USB drives) or via compromised networks. Recent analysis shows clusters of Ramnit targeting Mitsubishi industrial engineering workstations.
## Technical Details
- Type: Malware family (Worm/Trojan)
- Platform: Windows (Inferred, based on historical context and targeting traditional operating systems in ICS environments)
- Capabilities: Credential theft, modular functionality, plugin downloading, propagation via physical media and networks.
- First Seen: 2010
## MITRE ATT&CK Mapping
Since the primary focus of the summary section relates to its propagation and potential modification of legitimate files, the following mappings are broadly applicable based on its history:
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Likely used for C2 communication)
- T1566 - Phishing/Initial Access
- T1566.001 - Spearphishing Attachment (If used for initial deployment)
- T1027 - Obfuscated Files or Information
- T1027.002 - Windows Binary Executable (Likely modifying legitimate executables)
## Functionality
### Core Capabilities
- Stealing credentials.
- Modular design allowing for expanded functionality via downloaded plugins.
- Propagation mechanism via infected physical storage devices (e.g., USB drives).
### Advanced Features
- Potential ability to modify legitimate Windows executables by adding malicious code, which was observed in relation to OT software infections since 2021.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context]
- Registry Keys: [Not provided in the context]
- Network Indicators: [C2 infrastructure details not specified for this cluster]
- Behavioral Indicators: Infection vector possibly involving modification of legitimate Windows executables on engineering workstations.
## Associated Threat Actors
- [Not explicitly named in relation to Ramnit targeting ICS in this context, though historically associated with various financially motivated groups.]
## Detection Methods
- Signature-based detection (Known Ramnit signatures).
- Behavioral detection targeting file modification of legitimate system executables.
- Detection based on known network call-backs associated with Ramnit C2 traffic.
## Mitigation Strategies
- Implement network segmentation to isolate IT and OT devices.
- Ensure endpoint protection solutions are enabled, up-to-date, and monitoring for file modifications.
- Restrict use of unauthorized physical media on engineering workstations.
## Related Tools/Techniques
- Other network worms or malware capable of lateral movement via IT compromise.
***
# Tool/Technique: Chaya\_003
## Overview
Chaya\_003 is a new, experimental malware cluster identified targeting Siemens engineering workstations. Its key destructive capability is the termination of specific engineering processes, suggesting a focus on disrupting critical industrial operations. The malware utilizes legitimate services, like Discord webhooks, for command and control.
## Technical Details
- Type: Malware family (Experimental/Targeted Cyberattack Tool)
- Platform: Windows (Inferred, targeting Windows-based engineering workstations)
- Capabilities: System process enumeration and termination, C2 communication via Discord webhooks, system reconnaissance.
- First Seen: August to November 2024 (Cluster activity observed in this period)
## MITRE ATT&CK Mapping
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Likely used for process management)
- T1082 - System Information Discovery
- T1082.001 - System or Domain Discovery (Part of reconnaissance)
- T1053 - Scheduled Task/Job
- T1053.005 - Scheduled Task (Likely used for persistence if actively maintained)
- T1070.004 - File Deletion (Implied disruption)
## Functionality
### Core Capabilities
- Enumerates all running system processes.
- Compares process executable file names against a predefined internal list.
- Terminates matched engineering or system processes.
### Advanced Features
- Command and Control (C2) infrastructure leverages Discord webhooks, increasing detection evasion difficulty.
- Demonstrates "clear evolutionary patterns," indicating active refinement and potential for broader deployment affecting Siemens ICS software.
- Masquerading observed using file names like "Isass.exe" and "elsass.exe" to mimic legitimate processes (e.g., LSASS).
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: "Isass.exe," "elsass.exe" (as examples of masquerading files).
- Registry Keys: [Not provided in the context]
- Network Indicators: C2 communication using Discord webhooks (URLs would need external research).
- Behavioral Indicators: Rapid enumeration and termination of specific processes matching a hardcoded exclusion list; network connections to known Discord infrastructure for C2.
## Associated Threat Actors
- [Under investigation/New cluster identified by Forescout; actors not yet publicly attributed.]
## Detection Methods
- Behavioral detection focusing on rapid process enumeration followed by termination of critical engineering processes.
- Network monitoring detecting unusual outbound traffic patterns directed toward Discord APIs/webhooks originating from engineering workstations.
- YARA rules targeting unique byte sequences or strings within the binary, especially the configured process termination list.
## Mitigation Strategies
- Strict network segmentation to isolate engineering workstations from less secure internal/external networks.
- Limit direct internet exposure for all OT/ICS assets, including engineering workstations.
- Implement robust endpoint protection that monitors and alerts on process termination activity, especially when paired with reconnaissance behaviors.
## Related Tools/Techniques
- Other ICS-focused malware that prioritizes process disruption (e.g., TRITON/TRISIS).
***
# Technique: Use of Legitimate Services for C2 (Discord Webhooks)
## Overview
This technique involves using legitimate, trusted third-party services (in this case, Discord webhooks) as the communication backbone for Command and Control (C2) infrastructure by threat actors. This drastically raises the bar for detection as it blends malicious traffic with high volumes of benign organizational or consumer traffic.
## Technical Details
- Type: Technique (C2 Infrastructure Strategy)
- Platform: Cross-Platform (Relevant to any system communicating over HTTP/S)
- Capabilities: Exfiltrating data, receiving commands without directly connecting to a dedicated C2 server.
- First Seen: N/A (The technique is widely used, but its application here is specific to Chaya\_003).
## MITRE ATT&CK Mapping
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Discord uses standard web traffic mechanisms)
- T1090 - Proxy
- T1090.003 - Domain Fronting (While Discord isn't strictly domain fronting, using its infrastructure achieves similar concealment)
## Functionality
### Core Capabilities
- Establishing covert inbound and outbound communication channels.
- Bypassing traditional perimeter defenses that block suspicious or unknown external IPs/domains, as Discord is typically whitelisted.
### Advanced Features
- Discord webhooks allow for simple, two-way communication management using readily available platform features, reducing custom infrastructure cost and complexity for the attacker.
## Indicators of Compromise
- File Hashes: [N/A]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: Outbound connections to known Discord IP ranges or API endpoints originating from compromised hosts that are unusual in volume or context (e.g., connections from an engineering workstation).
- Behavioral Indicators: Processes attempting to interact with Discord libraries or making HTTP POST requests structured specifically for webhook payloads.
## Associated Threat Actors
- Threat actors deploying Chaya\_003.
- Generally adopted by various groups targeting organizations where Discord usage is high.
## Detection Methods
- Behavioral analysis focused on application behavior rather than just network signatures (e.g., monitoring which executables are making web requests to specific platform APIs).
- Network flow monitoring looking for sessions matching the expected payload structure of Discord webhooks.
## Mitigation Strategies
- Implement strict egress filtering, allowing only necessary, pre-approved ports and destinations.
- Thoroughly inspect protocol tunneling, even over allowed ports (like 443), for deviations from expected application behavior.
## Related Tools/Techniques
- Using services like Pastebin, GitHub Gists, Slack, or Telegram for similar C2 purposes.