New IronGate malware targets industrial systems and resembles Stuxnet

Security firm FireEye has discovered a new breed of malware targeting industrial control systems. The company has named this variant IronGate and assumes that it is a test case or research project.

Also, the malicious software is said to have some similarities with the Stuxnet worm, which was developed to penetrate the Iranian uranium enrichment plant at Natanz. However, IronGate is not nearly as advanced as Stuxnet when it comes to complexity and distribution capabilities, according to FireEye.

The security company concludes that this is a test object or research, among other things, from the fact that Siemens has indicated that the malware is not a threat to operational SCADA systems and does not make use of existing vulnerabilities. Also, the malware’s code is very similar to code from a blog post about Siemens equipment.

The similarities with Stuxnet include the possibility to falsify data between monitoring software and a PLC via a man-in-the-middle attack, because the malware replaces a DLL file with a malicious version. In addition, the malware is able to detect sandbox environments as virtual machines. This makes it more difficult for researchers to analyze the malware in such environments and reduces the chance of detection, according to FireEye.

The company found the malware in the second half of 2015 on the VirusTotal site. This site combines detection methods from different security products. At the time, employees were looking for software that was compiled with PyInstaller, which is common with malware. They saw that the code had been sent to VirusTotal by two different parties in 2014, but without detection.