In early 2022, I was doing a vulnerability assessment targeting Automation Direct's DirectLogic 06 Programmable Logic Controller (PLC) and C-More EA9 Human-Machine Interface (HMI) when I stumbled upon an interesting Youtube video demonstrating self-proclaimed PLC password "cracking" software where an operator could pay an unknown actor for their software which, when ran on a that is hooked up to the device, could retrieve it's password.

I was immediately suspicious. Basic OSINT analysis indicated there was a large number of publicly available samples targeting a variety of industrial devices and vendors. So, I obtained a few samples and got to work reverse engineering via static and dynamic binary analysis. This research project lead to some interesting findings and I wrote a blog for Dragos, which got picked up by a few technology-related sites, check them out:

• Dragos: The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators
• Ars Technica: Hackers are targeting industrial systems with malware
• Bleeping Computer: Password recovery tool infects industrial systems with Sality malware
• The Hacker News: Hackers Distributing Password Cracking Tool for PLCs and HMIs to Target Industrial Systems
• Security Week: PLC and HMI Password Cracking Tools Deliver Malware
• Industrial Cyber: Dragos details Trojan Horse malware, password cracking ecosystem affecting industrial operators
• Secure Blink: Salty malware used to infect ICS through password cracking tool
• HelpNet Security: Beware of password-cracking software for PLCs and HMIs!
• The Tech Outlook: Hackers targeting industrial PLCs with a new password cracking tool by remaining undetected

This research lead to a variety of CVEs as well. Check out my list of discovered vulnerabilities to see some public information on them.