New Malware Threatens Critical Engineering Processes In Industrial Control Systems

Forescout Research has identified a growing threat targeting engineering workstations in operational technology (OT) and industrial control systems (ICS).

The analysis, released on Tuesday highlights how malware targeting these workstations is increasingly common.

The research focused on malware found in VirusTotal, which included incidents involving the Mitsubishi engineering workstation infected with the Ramnit worm, as well as new experimental malware known as Chaya_003, which disrupts Siemens engineering processes.

OT-specific malware, although less prevalent than attacks on enterprise software or mobile operating systems, is a significant concern for security operators in industrial environments.

Engineering workstations, which play a central role in controlling and monitoring critical infrastructure, are prime targets for these types of attacks. A report by the SANS Institute identified engineering workstation compromise as a leading attack vector, responsible for over 20% of OT system incidents.

The analysis by Forescout focused on malware targeting engineering workstations, which run both traditional operating systems like Windows and specialized engineering software, such as Siemens TIA Portal and Mitsubishi GX Works.

The research found two main clusters of malware targeting these workstations. In one case, Mitsubishi GX Works executables were infected with the Ramnit worm in two separate incidents. The second involved three samples of a new malware variant, Chaya_003, which was specifically designed to terminate Siemens engineering processes.

Ramnit, a malware strain initially known for targeting banking credentials, has evolved into a more sophisticated platform capable of infecting OT systems. The recent findings by Forescout show that Ramnit remains a persistent threat to OT networks.

The malware can spread through compromised physical devices like USB drives or poorly secured network systems. Although the specific vector for these infections remains unclear, it is evident that the malware continues to affect OT environments.

Chaya_003, on the other hand, represents a new and evolving threat. The malware’s primary functionality includes terminating critical engineering processes. Its design suggests deliberate attempts to masquerade as legitimate system processes to avoid detection by security software.

Forescout says that the malware is delivered through a command-and-control (C2) infrastructure that relies on legitimate services like Discord webhooks, making it harder to detect.

The research stresses the importance of securing engineering workstations to prevent these types of attacks. Recommendations include updating software regularly, implementing robust endpoint protection, and segmenting networks to limit access to critical systems.

The increasing sophistication of these attacks, driven by the availability of generative AI tools, highlights the need for proactive security measures in the OT sector.

The research by Forescout also warns that as malware targeting engineering processes becomes more accessible, the line between less skilled and more advanced attackers continues to blur, making it harder to distinguish between simple and highly sophisticated threats.