The Story of the PLC Password Cracking Malware

Check out the blog I wrote for Dragos here!

In early 2022, I was doing a vulnerability assessment targeting Automation Direct’s DirectLogic 06 Programmable Logic Controller (PLC) and C-More EA9 Human-Machine Interface (HMI) when I stumbled upon an interesting Youtube video demonstrating self-proclaimed PLC password “cracking” software where an operator could pay an unknown actor for their software which, when ran on a that is hooked up to the device, could retrieve it’s password.

I was immediately suspicious. Basic OSINT analysis indicated there was a large number of publicly available samples targeting a variety of industrial devices and vendors. So, I obtained a few samples and got to work reverse engineering via static and dynamic binary analysis. This research project lead to some interesting findings and I wrote a blog for Dragos, which got picked up by a few technology-related sites.

This project yielded several intelligence products, some public some private. Here are links to the public products:

• The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators
• Root Cause Analysis of Password “Cracking” Vulnerabilities Section, Dragos Year-in-Review 2022 (starts on p.37)

Check out my Public Research page to see more of my research.