{
	"id": "3ae9a85f-1fe7-44e6-87de-bc571408805e",
	"created_at": "2026-04-10T03:20:15.996426Z",
	"updated_at": "2026-04-10T03:22:16.526041Z",
	"deleted_at": null,
	"sha1_hash": "0a82d1de17d338fa636b15d0d2d499b06cb0f32a",
	"title": "The Trojan Horse Malware \u0026 Password “Cracking” Ecosystem Targeting Industrial Operators",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3856345,
	"plain_text": "The Trojan Horse Malware \u0026 Password “Cracking” Ecosystem\r\nTargeting Industrial Operators\r\nBy Sam Hanson\r\nPublished: 2022-07-14 · Archived: 2026-04-10 02:10:21 UTC\r\nThe internet brings endless possibilities for scammers and cyber criminals to make money illegitimately. The\r\nusual suspects – ransomware, business email compromise, internet fraud, and phishing are well known to the\r\ninformation security community. However, during a routine vulnerability assessment, Dragos researchers\r\nuncovered a smaller in scale technique targeting industrial engineers and operators.\r\nThe Story of Troy and the Password “Cracking” Trojan Horse\r\nMultiple accounts across a variety of social media websites are advertising Programmable Logic Controller\r\n(PLC), Human-Machine Interface (HMI), and project file password cracking software. Buyers can retrieve\r\nforgotten passwords by running an executable provided by the seller that targets a specific industrial system.\r\nAn advertisement like this raises the question, “Who would buy this?” Any information security professional\r\nwould caution against downloading and running software from an untrusted party. Take the following as an\r\nexample: an engineer named Troy just got promoted to senior engineer when his old colleague, Hector, retired\r\nafter serving 30 years at an electric utility. Troy needs to update some ladder logic Hector wrote on Automation\r\nDirect’s DirectLogic 06 PLC. After firing up the PLC programming software, DirectSOFT, a password prompt\r\npops up.\r\nTroy doesn’t know the password, and Hector left a few months ago and is now vacationing on a boat without\r\nservice indefinitely. Troy looks for answers online, and seeing an advertisement for PLC password cracking\r\nsoftware, decides to give it a go. Cassandra, Troy’s security-conscience coworker, warns against introducing this\r\nunnecessary risk into their OT environment. But Troy insists this is a time-sensitive task. He purchases the\r\nsoftware and runs it on his engineering workstation.\r\nTroy successfully recovers the PLC password, but a couple of minutes later he discovers the engineering\r\nworkstation system is acting strange.\r\nPassword Retrieval and a Sality Malware Infection\r\nTroy called in Dragos to reverse engineer the password “cracking” software and determined it did not crack the\r\npassword at all, rather, it exploited a vulnerability in the firmware which allowed it to retrieve the password on\r\ncommand. Further, the software was a malware dropper, infecting the machine with the Sality malware and\r\nturning the host into a peer in Sality’s peer-to-peer botnet.\r\nThe Exploit\r\nhttps://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/\r\nPage 1 of 8\n\nDragos researchers confirmed the password retrieval exploit embedded in the malware dropper successfully\r\nrecovers Automation Direct’s DirectLogic 06 PLC password over a serial connection. From a user’s perspective,\r\nthey simply need to have a connection from the Windows machine to the PLC, then specify the COM port to\r\ncommunicate over and click the “READPASS” button. A second or two later, the password is shown to the user as\r\nseen in Figure 1.\r\nPrevious research targeting DirectLogic PLCs has resulted in successful cracking techniques. However, Dragos\r\nfound that this exploit does not crack a scrambled version of the password as historically seen in popular\r\nexploitation frameworks. Instead, a specific byte sequence is sent by the malware dropper to a COM port.\r\nCapturing the serial traffic sent by the exploit allowed Dragos researchers to recreate it outside of the malware\r\ndropper. The malware contains a serial-only version of the exploit, requiring the user to have a direct serial\r\nconnection from an Engineering Workstation (EWS) to the PLC. Dragos researchers were able to successfully\r\nrecreate the exploit over Ethernet, increasing the severity of this vulnerability significantly. This vulnerability was\r\nassigned CVE-2022-2003 and was responsibly disclosed to Automation Direct. They have released a firmware\r\nupdate to fix this issue [source: ICS-CERT Advisory (ICSA-22-167-03), ICS-CERT Advisory (ICSA-22-167-02)].\r\nThe Sality Malware\r\nhttps://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/\r\nPage 2 of 8\n\nSality is a peer-to-peer botnet for distributed computing tasks such as password cracking and cryptocurrency\r\nmining. A Sality infection could risk remote access to an EWS by an unknown adversary. Dragos assesses with\r\nmoderate confidence the adversary, while having the capability to disrupt industrial processes, has financial\r\nmotivation and may not directly impact Operational Technology (OT) processes.\r\nSality employs process injection and file infection to maintain persistence on the host. It abuses Window’s autorun\r\nfunctionality to spread copies of itself over Universal Serial Bus (USB), network shares, and external storage\r\ndrives. This specific sample of Sality also drops clipboard hijacking malware that, every half second, checks the\r\nclipboard for a cryptocurrency address format. If seen, the hijacker replaces the address with one owned by the\r\nthreat actor. This in-real-time hijacking is an effective way to steal cryptocurrency from users wanting to transfer\r\nfunds and increases our confidence that the adversary is financially motivated.\r\nTo remain undetected, Sality drops a kernel driver and starts a service to identify any potential security products\r\nsuch as antivirus systems or firewalls and terminates them. According to various reports online, Sality is able to\r\nconduct Internet Protocol (IP) filtering against antivirus-related URLs and will drop any outgoing packets\r\ncontaining specific keywords known to be connected to antivirus vendor websites. This could have regulatory\r\nimplications – since Sality blocks any outgoing connections, antivirus systems will not be able to receive updates\r\nviolating reliability standard CIP-007-6. While Sality makes several attempts to stay hidden, it is quite clear that\r\nan infection is taking place. Central Processing Unit (CPU) levels spikes to 100% and multiple Windows Defender\r\nalerts were triggered.\r\nAutomation Direct is far from the only vendor affected. In fact, Dragos is aware that this specific threat actor\r\nadvertises “cracking” software for several PLCs, HMIs, and project files listed in the following table:\r\nVendor and Asset System Type\r\nAutomation Direct DirectLogic 06 PLC\r\nOmron CP1H PLC\r\nOmron C200HX PLC\r\nOmron C200H PLC\r\nOmron CPM2* PLC\r\nOmron CPM1A PLC\r\nOmron CQM1H PLC\r\nSiemens S7-200 PLC\r\nSiemens S7-200 Project File (*.mwp)\r\nSiemens LOGO! 0AB6 PLC\r\nABB Codesys Project File (*.pro)\r\nhttps://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/\r\nPage 3 of 8\n\nDelta Automation DVP, ES, EX, SS2, EC Series PLC\r\nFuji Electric POD UG HMI\r\nFuji Electric Hakko HMI\r\nMitsubishi Electric FX Series (3U and 3G) PLC\r\nMitsubishi Electric Q02 Series PLC\r\nMitsubishi Electric GT 1020 Series HMI\r\nMitsubishi Electric GOT F930 HMI\r\nMitsubishi Electric GOT F940 HMI\r\nMitsubishi Electric GOT 1055 HMI\r\nPro-Face GP Pro-Face HMI\r\nPro-Face GP Project File (*.prw)\r\nVigor VB PLC\r\nVigor VH PLC\r\nWeintek HMI\r\nAllen Bradley MicroLogix 1000 PLC\r\nPanasonic NAIS F P0 PLC\r\nFatek FBe and FBs Series PLC\r\nIDEC Corporation HG2S-FF HMI\r\nLG K80S PLC\r\nLG K120S PLC\r\nVendor and Asset System Type\r\nAutomation Direct DirectLogic 06 PLC\r\nOmron CP1H PLC\r\nOmron C200HX PLC\r\nOmron C200H PLC\r\nOmron CPM2* PLC\r\nOmron CPM1A PLC\r\nhttps://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/\r\nPage 4 of 8\n\nOmron CQM1H PLC\r\nSiemens S7-200 PLC\r\nSiemens S7-200 Project File (*.mwp)\r\nSiemens LOGO! 0AB6 PLC\r\nABB Codesys Project File (*.pro)\r\nDelta Automation DVP, ES, EX, SS2, EC Series PLC\r\nFuji Electric POD UG HMI\r\nFuji Electric Hakko HMI\r\nMitsubishi Electric FX Series (3U and 3G) PLC\r\nMitsubishi Electric Q02 Series PLC\r\nMitsubishi Electric GT 1020 Series HMI\r\nMitsubishi Electric GOT F930 HMI\r\nMitsubishi Electric GOT F940 HMI\r\nMitsubishi Electric GOT 1055 HMI\r\nPro-Face GP Pro-Face HMI\r\nPro-Face GP Project File (*.prw)\r\nVigor VB PLC\r\nVigor VH PLC\r\nWeintek HMI\r\nAllen Bradley MicroLogix 1000 PLC\r\nPanasonic NAIS F P0 PLC\r\nFatek FBe and FBs Series PLC\r\nIDEC Corporation HG2S-FF HMI\r\nLG K80S PLC\r\nLG K120S PLC\r\nDragos only tested the DirectLogic-targeting malware. However, initial dynamic analysis of a couple of other\r\nsamples indicate they also contain malware. In general, it appears there is an ecosystem for this type of software.\r\nhttps://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/\r\nPage 5 of 8\n\nSeveral websites and multiple social media accounts exist all touting their password “crackers.”\r\nhttps://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/\r\nPage 6 of 8\n\nConclusion\r\nTrojanized software is a common delivery technique for malware and has been proven effective for gaining initial\r\naccess to a network. While, in our fictitious example, Troy had a legitimate reason for downloading the password\r\n“cracking” software, doing so from an unknown actor introduced significant and unnecessary risk into the OT\r\nenvironment. If an engineer needs to recover a lost password, contact Dragos or the respective vendor for\r\ninstructions and guidance. As the adage goes, if it’s too good to be true, then it probably is.\r\nhttps://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/\r\nPage 7 of 8\n\nSam Hanson is a Vulnerability Analyst on the Intelligence Research Team. Sam graduated from the University of\r\nMinnesota – Twin Cities in 2020 with a Computer Science degree and a focus on Computer Security.\r\nSource: https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/\r\nhttps://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/"
	],
	"report_names": [
		"the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators"
	],
	"threat_actors": [],
	"ts_created_at": 1775791215,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a82d1de17d338fa636b15d0d2d499b06cb0f32a.pdf",
		"text": "https://archive.orkl.eu/0a82d1de17d338fa636b15d0d2d499b06cb0f32a.txt",
		"img": "https://archive.orkl.eu/0a82d1de17d338fa636b15d0d2d499b06cb0f32a.jpg"
	}
}