Air-Gapped ICS Systems Targeted by Sophisticated Malware

Researchers uncovered new worming second-stage tools used to locally exfiltrate data from air gapped ICS environments, putting threat actors one step away from transmission of the info to a C2.

Security teams in industrial control systems (ICS) environments are fighting a worm that gets past air-gapped defenses.
Researchers from Kaspersky ICS-CERT have been investigating cyberattacks against ICS and critical infrastructure in Eastern Europe, and uncovered a novel
second-stage malware
that gets around the typical data security that an air gapped system provides. The threat actors were trying to establish a permanent presence on the target networks for data exfiltration, the team said.
First, the attackers use known remote access and data collection tools to gain an initial foothold in
the ICS network
. Then, they deploy a sophisticated modular malware against the air-gapped
ICS networks
, which contaminates
removable storage drives
with a worm that exfiltrates targeted data. From there, they are just one step away from being able to transmit stolen data out of the environment.
The malware, designed explicitly to exfiltrate data from air-gapped systems by infecting removable drives, consist of at least three modules, each responsible for different tasks, such as profiling and handling removable drives, capturing screenshots, and planting second-step malware on newly connected drives,
the report says
.
The team also spotted another second-stage implant used in the attacks, which sends stolen data from a local computer to Dropbox, the Kaspersky team added.
The cyberattackers were able to evade detection by hiding encrypted payloads in their own binary file and using DLL hijacking to embed the malware in the memory of authorized apps, the researchers explained.
The threat actors deliberate efforts to obfuscate their actions through encrypted payloads, memory injections, and DLL hijacking [underscore] the sophistication of their tactics, Kirill Kruglov, senior security researcher at Kaspersky ICS CERT said about the new findings.
The final piece of the cyberattack chain required to pull off the full data exfiltration would be a third slate of tools that upload stolen data to the command and control server (C2). Kruglov added that Kasperkys team will continue to investigate.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Air-Gapped ICS Systems Targeted by Sophisticated Malware