Tool for “Cracking Forgotten Passcodes” Is Actually Industrial-Grade Malware

Sality, a peer-to-peer botnet, is spreading through fake advertisements for "password crackers", according to researchers.
Aaron Drapkin

Security researchers have uncovered the truth behind software that's being advertised as a way to unlock industrial terminals without a password — it's actually a malware dropper.

The malware can subsume devices and add them to a botnet, meaning they could then be accessed by unauthorised users to help complete power-intensive tasks (like crypto-mining) that demand a network of distributed computers.

Although securely sharing passwords for company devices has been made safer by technology like password managers for teams, This scam suggests enough employees evidently still seek out password-cracking tools for the scam to be worthwhile.

Beware of Password Unlock Adverts

The malware – called “Sality” – discovered by security researchers at Dragos, is spreading through advertisements (Pictured below, Image credit: Dragos) posted by “multiple accounts across a variety of social media websites” and disguised as password unlocking software

Dragos Fake Advert

Specifically, it’s advertised as a way to unlock Programmable Logic Controller (PLC), Human-machine interface (HMI), and file password cracking software, if you don’t have a password to do so.

PLCs are essentially machines that set rules for industrial machinery like assembly lines or conveyor belts, and can be programmed to obey certain logical rules.

HMIs, on the other hand, are any consoles that allow humans to interact with devices, although they’re usually only called this in the context of industrial processes.

The adverts concern HMI/PLC terminals from companies such as Automation Direct, LG, Fuji Electric, Mitsubishi, Omron, Siemens, Vigor, Pro-Face, Allen Bradley, Weintek, ABB, and Panasonic.

What Does the Malware Do?

Instead of unlocking password-protected devices of the kind listed above, Sality instead exploits firmware vulnerabilities to retrieve passwords and turns the host device into a peer in a P2P botnet.

The malware itself can do things such as terminate processes, remotely connect to sites, download more malware, or steal data.

In order to maintain persistence in the host and spread to other devices on the same networks, the malware abuses the Windows autorun function and subsequently spreads copies of itself through USBs, external storage drives, and network shares.

Kernel drivers were also deployed by Sality to remove antivirus software and firewalls present on devices.

Dragos researchers observed additional malware being deployed to hijack clipboards and check for cryptocurrency address formats, reflecting that the motivation behind the attack is is likely financial.

Why Would You Need a Password Cracker Anyway?

You may be wondering: what’s the use case for a password cracker of this sort, and wouldn’t security researchers be extra cautious when downloading such tools?

The security team who discovered the malware detailed a scenario in which a password cracker would need to be acquired: An engineer, Dragos says, may need to update a programmable logic controller that presides over some sort of assembly line machinery after the retirement of a senior IT engineer who used to have responsibility for the system, only to find themselves password restricted.

They may turn to the internet for answers, and – particularly when pressed for time – be tempted into purchasing a password unlocking device for a PLC or HMI. To avoid being scammed, they should contact the former employee or the manufacturer.

Storing Passwords Securely

In the context of the case provided by Dragos, Sality malware relies on poor management of account credentials by industrial businesses.

Although the example given by Dragos concerns an employee leaving, an employee who’s forgotten a password and is unable to reset it may feel the same way, and that they have no option but to turn to password-cracking software available online, no matter how dodgy.

Password managers for businesses can prevent these problems from ever occuring, by offering secure storage for shared passwords that might be needed by more than one member of staff.

Using a password manager for this kind of account credentials means you’ll never be in a position where you’ll be left with no choice but to deploy some unverified password-unlocking software.

Best Password Managers for Business Use

0 out of 0
Local Storage Option
Two-Factor Authentication
Failsafe Function
Password Generator Function
A password manager can create secure, complex passwords for you. You won't need to remember them yourself.
Help Instructions
Email Support
Live Chat Support
Phone Support
Business Plan?
Business Price
Cheapest available business plan
Click to Try

LastPass

1Password

Dashlane

NordPass

Sticky Password

$3/user/month

$19.95/10 users

$60/user

$29.99/user

This article was last updated on:
Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol three years ago. As a writer, Aaron takes a special interest in VPNs and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, The Week, and Politics.co.uk covering a wide range of topics.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals