A newly identified malware strain dubbed \u201cIOCONTROL\u201d has emerged as a critical threat to operational technology (OT) and Internet of Things (IoT) systems, particularly targeting fuel-management infrastructure in the United States and Israel.<\/p>\n
First observed in December 2024, this Linux-based malware has been linked to the pro-Iranian hacktivist group Cyber Av3ngers, which has historically pursued anti-Israeli cyber campaigns.<\/p>\n
Initial attacks leveraged compromised credentials\u2014part of a broader 33% year-over-year surge in credential theft\u2014to infiltrate critical systems, enabling threat actors to establish persistent remote access, manipulate industrial processes, and exfiltrate sensitive operational data.<\/p>\n
Flashpoint analysts identified<\/a> IOCONTROL\u2019s modular architecture, which combines UPX-packed binaries, encrypted command-and-control (C2) communications, and surveillance capabilities tailored for resource-constrained IoT environments.<\/p>\n The malware primarily exploits vulnerabilities in internet-exposed industrial control systems (ICS), using the MQTT protocol\u2014a lightweight messaging standard common in IoT<\/a> ecosystems\u2014to bypass traditional network monitoring tools.<\/p>\n Its deployment in attacks against fuel distribution networks underscores escalating risks to critical infrastructure amid heightened geopolitical tensions in the Middle East.<\/p>\n IOCONTROL employs sophisticated evasion tactics, starting with a modified UPX packer that alters binary magic values to hinder static analysis.<\/p>\n While standard UPX utilities fail to unpack the malware due to these alterations, Flashpoint researchers demonstrated that restoring the magic bytes ( Once executed, the malware unpacks itself in memory and establishes persistence through a multi-stage process:-<\/p>\n This mechanism ensures continuous operation even if security tools interrupt initial execution.<\/p>\n IOCONTROL\u2019s blend of IoT-focused protocols and credential-based initial access vectors presents unique challenges for defenders.<\/p>\n Flashpoint\u2019s investigation revealed attempts by the malware\u2019s developer to sell it on underground forums like BreachForums, signaling potential proliferation across threat actor groups.<\/p>\n Organizations managing OT environments must prioritize firmware patching, network segmentation<\/a>, and anomaly detection for MQTT traffic to mitigate risks posed by this evolving threat.<\/p>\n The post New IOCONTROL Malware Attacking Critical Infrastructure to Gain Remote Access and Control<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nTechnical Overview and Persistence Mechanisms<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiqVUEG8GruI1BnmsWetSZqgwMC6xJ0bQDRQP9enZe24WuXooYqowT43P8gPixYQGeZmxUygnOv2Tj-8UWQOLNow0jRJVyHWzPWYb7Y6a6nNY11caIXUFhzjzTi4jRgznBPk0jHx9YQKP6XwkJ-A68v-CvYFg_WXKIgRFmsTc2PqrMaRZezxWibqnGYPxY\/s16000\/Modified%2520UPX%2520magic%2520value%2520%28Source%2520-%2520FlashPoint%29.webp?ssl=1\")
00 00 00 00 00 00 00 02 00 34 00 20 00 02 00 34<\/code>) enables successful decompression.<\/p>\n\n
\/tmp\/iocontrol\/<\/code> and \/etc\/rc3.d<\/code>\u2014with full read, write, and execute permissions. These serve as operational hubs for staging payloads and maintaining persistence<\/a> across reboots.<\/li>\n\/etc\/rc3.d\/S99iocontrol<\/code>, ensuring execution at system startup. The script includes watchdog functionality to restart the malware if terminated:<\/li>\n<\/ol>\n#!\/bin\/sh\n\/usr\/bin\/iocontrol >\/dev\/null 2>&1 &\nwhile true; do\n if ! pgrep -x \"iocontrol\" >\/dev\/null; then\n \/usr\/bin\/iocontrol >\/dev\/null 2>&1 &\n fi\n sleep 60\ndone<\/code><\/pre>\n\n
Answer[data]<\/code> field from the response. It then establishes an MQTT connection to the broker, transmitting beacon packets containing system metadata (kernel version, hostname, time zone) encrypted using AES-256-CBC. The encryption key derives from environment variables 0_0<\/code> and 0_1<\/code>, set during execution, which store hashed GUID values split into key and initialization vector (IV) components.<\/li>\n<\/ol>\nInvestigate Real-World Malicious Links & Phishing Attacks With\u00a0Threat Intelligence Lookup<\/strong>\u00a0-\u00a0Try for Free<\/a><\/code><\/strong><\/code><\/strong><\/p>\n