OT/ICS Threat Awareness – FrostyGoop: New Indicators and a Closer Look

Researchers at Unit 42’s Threat Research Center have uncovered new samples and indicators of compromise (IoCs) of FrostyGoop – the 9th reported industrial control system (ICS) malware that became publicly known in July this year. See WaterISAC’s previous analysis of FrostyGoop.

These new IoCs include configuration files and libraries used by the malware, as well as artifacts associated with an infection. Unit 42 also investigated network communications and have provided new insights based on open-source intelligence (OSINT) data. While FrostyGoop is the 9th known ICS malware, it is the first that uses Modbus TCP communications to achieve an impact on Operational Technology (OT).

Since an increasing number of OT networks have connected with IT networks, new ways to perform cyberattacks have been unleashed that have the potential to impact the physical world. This type of blended threat makes these kinds of malware particularly dangerous. The war in Ukraine and other world conflicts have been, and continue to be, a catalyst that drives these developments. A list of the new IoCs along with a deeper analysis of FrostyGoop can be found at Unit 42.

Additional Resources:

• Impact of FrostyGoop ICS Malware on Connected OT Systems | Dragos
• FrostyGoop: 2004 Is Calling, And Still Awaiting Calls To Replace Unauthenticated Protocols | Dale Peterson
• Protect Against the FrostyGoop ICS Malware Threat with OT Cybersecurity Basics | Dragos