New malware attacks targeting industrial control systems (ICS) are capable of killing engineering processes, a Forescout analysis has found.
The researchers identified clusters of two types of malware attacks targeting Mitsubishi and Siemens engineering workstations and listed on the VirusTotal repository from August to November 2024.
These were the Ramnit worm targeting Mitsubishi workstations and a new experimental malware named Chaya_003 targeting Siemens workstations.
Chaya_003 demonstrated the capability to terminate engineering processes.
The researchers found that the attackers used legitimate services for command and control (C2), making threat detection challenging.
Engineering workstations are standard computers running traditional operating systems, such as Windows, alongside specialized engineering software provided by equipment manufacturers. This software is essential for commissioning and programming field devices such as programmable logic controller (PLCs) in operational technology (OT) and ICS environments.
Forescout cited recent research from the SANS Institute which found that engineering workstation compromise accounts for over 20% of OT/ICS system incidents, leading to this new analysis being made.
Malware Clusters Targeting Mitsubishi and Siemens
The researchers focused on two categories of artifacts uploaded to VirusTotal for their investigation: engineering software executable flagged as infected by malware detection tools and potentially malicious files designed to interact with engineering software.
Ramnit Targeting Mitsubishi Workstations
Forescout identified two Ramnit clusters infecting Mitsubishi workstations.
Ramnit first emerged in 2010 as a banking trojan designed to steal credentials, later evolving into a modular platform capable of downloading plugins from a C2 server.
The malware can propagate through infected physical devices, such as USB drives, or via networks compromised by poorly segmented IT systems.
The researchers were unable to confirm how the two Ramnit clusters infected the Mitsubishi engineering workstations. However, they believe the malware may have added malicious code to legitimate Windows executables, in line with other Ramnit infections on OT software observed since 2021.
Chaya_003 Targeting Siemens Workstations
The investigation uncovered three binaries representing three iterations of a malware cluster named Chaya_003.
The names of two of these binaries, “Isass.exe” and “elsass.exe”, suggest deliberate masquerading as legitimate system processes, likely intended to deceive users or bypass antivirus solutions.
Chaya_003’s C2 infrastructure leverages Discord webhooks and has capabilities for system reconnaissance and process disruption.
All samples implement functionality to enumerate system processes, retrieving information about each process and comparing the executable file name against a predefined list.
If a process matches an entry in this list, it is terminated.
The researchers observed “clear evolutionary patterns” in the analyzed samples, suggesting the malware is being refined and prepared for broader deployment.
Building Resiliency in Engineering Workstations
Forescout urged industrial organizations to take action to improve their security against attacks targeting engineering workstations. These include:
- Identify all workstations connected to your OT network and assess their software versions, open ports, credentials, and endpoint protection software
- Ensure all software is updated to the latest versions and make sure that endpoint protection solutions are enabled and up to date
- Avoid directly exposing engineering workstations to the internet
- Properly segment networks to isolate IT, IoT and OT devices
- Limit network connections to only authorized management and engineering workstations
- Deploy monitoring solutions that can detect malicious indicators, such as known IT malware