Critical Infrastructure at Risk: FrostyGoop Exploits Modbus TCP

Researchers from Unit42 have uncovered a new strain of malware, FrostyGoop, targeting Industrial Control System (ICS) devices. This sophisticated malware exploits the Modbus TCP protocol to execute attacks on critical infrastructure, including facilities in Ukraine and Romania. Alarmingly, FrostyGoop is even capable of causing physical damage.

First detected in October 2023, FrostyGoop capitalizes on vulnerabilities in Telnet ports of ENCO devices and outdated TP-Link WR740N routers, rendering these systems particularly susceptible to compromise. Its primary objective is to gain access to devices and execute Modbus commands.

A distinctive feature of FrostyGoop lies in its use of a unique JSON configuration paired with the Goccy’s go-json library, simplifying the analysis of its operations. Researchers also identified an executable file named “go-encrypt.exe,” which encrypts JSON files using AES-CFB, likely an attempt by attackers to obfuscate sensitive data.

The malware heavily leverages Modbus TCP to communicate with devices via port 502. Malicious commands include reading and writing registers through function codes 3, 6, and 16, enabling attackers to control compromised systems with precision.

Experts emphasize that such attacks highlight critical vulnerabilities in outdated infrastructure and underscore the pressing need to bolster industrial system defenses. As IT and OT network integrations deepen, new attack vectors emerge, amplifying the threat posed by malware like FrostyGoop.

The incidents targeting critical infrastructure in Ukraine, Romania, and the United States underscore the gravity of this issue. Palo Alto Networks experts stress that safeguarding legacy systems is a cornerstone of robust cybersecurity measures.