|Data Sources||Command: Command Execution, File: File Metadata, File: File Modification, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata|
|Asset||Human-Machine Interface, Control Server|
Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions.
Applications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.
- Sandworm Team transfers executable files as .txt. and then renames them to .exe, likely to avoid detection through extension tracking.1
- EKANS masquerades itself as a valid executable with the filename "update.exe". Many valid programs use the process name "update.exe" to perform background software updates.2
- Industroyer includes a launch component that loads DLLs and EXEs with filenames associated with common electric power sector protocols, including 101.dll, 104.dll, 61850.dll, OPCClientDemo.dll, OPC.exe, and 61850.exe.3
- REvil searches for whether the Ahnlab “autoup.exe” service is running on the target system and injects its payload into this existing process.4
- Stuxnet renames s7otbxdx.dll, a dll responsible for handling communications with a PLC. It replaces this dll file with its own version that allows it to intercept any calls that are made to access the PLC.5
- Triton's injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon.6
- Triton was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs.7
- Code Signing - Require signed binaries.
- Execution Prevention - Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities.
- Restrict File and Directory Permissions - Use file system access controls to protect system and application folders.
- Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.
- Dragos Threat Intelligence. (2020, February 03). EKANS Ransomware and ICS Operations. Retrieved April 12, 2021.
- Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
- Tom Fakterman. (2019, August 05). Sodinokibi: The Crown Prince of Ransomware. Retrieved April 12, 2021.
- Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.
- DHS CISA. (2019, February 27). MAR-17-352-01 HatMan—Safety System Targeted Malware (Update B). Retrieved March 8, 2019.
- Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.