SOLUTIONS
JIZÔ AI
JIZÔ ALERT ADVISOR (AI)
JIZÔ FOR OT
HOSHI
LOKI
COMPANY
COMPANY
WE RECRUIT
CONTACT
SUBSCRIBE
NEWS
BLOG
PRESS
EVENTS
PARTNERS
RESELLERS & DISTRIBUTORS
TECHNOLOGY PARTNERS
RESOURCES
REPORTS & WHITE PAPERS
WEBINARS
CONTACT
GET A DEMO

IOCONTROL: ANALYSIS OF AN IRANIAN CYBER DESTABILIZATION MALWARE

05 January 2025

On December 10, 2024, Claroty's Team82 research team published a detailed anaysis of IOCONTROL, a new Iranian-origin malware targeting critical Western and Israeli infrastructures. This discovery comes amid escalating cyber tensions between Iran and Israel.

ATTRIBUTION TO CYBERAV3NGERS

Forensic analysis has attributed IOCONTROL to the CyberAv3ngers group, affiliated with the Islamic Revolutionary Guard Corps (IRGC-CEC). This group is known for its sophisticated campaigns against Western interests. In February 2024, the U.S. Department of Treasury had already imposed sanctions on six IRGC-CEC officials linked to CyberAv3ngers operations, accompanied by a $10M reward for information on those responsible.

If you're interested in the Iranian arsenal and its growing capabilities in cyberspace, check out our study: Digital frontline: examining cyber warfare in the 2022 iranian uprising.

 

DEVELOPMENT, USAGE, AND IMPACT OF IOCONTROL ON CRITICAL INFRASTRUCTURE

IOCONTROL’S TARGETS

IOCONTROL poses a significant threat for several reasons. Its modular design enables it to target a wide range of IoT and OT devices, including:

  • Fuel management systems
  • Programmable Logic Controllers (PLCs)
  • Human-Machine Interfaces (HMI)
  • Critical networking equipment
  • Industrial control systems
  • IP cameras

Documented attacks have already affected hundreds of gas stations in Israel and the United States, demonstrating the malware's capacity to significantly disrupt essential services. The compromise of Orpak and Gasboy payment terminals highlights its disruption potential. Other affected brands include Baicells, D-Link, Hikvision, Red Lion, Phoenix Contact, Teltonika, and Unitronics.


A MODULAR MULTI-PLATFORM ARCHITECTURE

The strength of IOCONTROL lies in its modular architecture. Compiled for ARM 32-bit Big Endian architecture, the malware can adapt to various embedded Linux environments.

The modularity is evident in the separation between the execution code and the configuration, stored in a distinct encrypted section. This approach allows operators to quickly modify the malware’s behavior for different targets without recompilation. The code can thus be adapted to target both IP cameras and industrial programmable logic controllers by simply adjusting configuration parameters.

The malware's adaptability extends to its use of standard protocols like MQTT, widely utilized in IoT environments. This standardization facilitates deployment across multiple platforms while minimizing detection risks.

Additionally, the malware installs a daemon via the rc3.d system, a classic yet effective approach complemented by monitoring and automatic restart mechanisms. The persistence script at this stage implements a sophisticated monitoring logic.

While the IOCONTROL developers are less creative and more focused on compiling and modularizing pre-existing tools and functions, they have demonstrated an ability to innovate.

The use of unique GUIDs for each infection is a major innovation in managing compromised systems. Each instance of IOCONTROL is identified by a specific GUID (e.g., 855958ce-6483-4953-8c18-3f9625d88c27), serving as a basis for:

  • Identification with the C2 server
  • Cryptographic key derivation
  • Customization of attack parameters

This approach allows operators to:

  • Individually manage each infection
  • Adapt commands based on context
  • Maintain precise control over their infrastructure


COMMUNICATION MECHANISMS AND OPERATIONAL CAPABILITIES OF IOCONTROL

 

COMMAND & CONTROL INFRASTRUCTURE

IOCONTROL implements a communication architecture combining multiple obfuscation and encryption mechanisms to maintain operational stealth. At its core lies a secure DNS resolution system and an MQTT-based control protocol.


DNS RESOLUTION MECHANISM

To avoid detection by traditional network monitoring systems, IOCONTROL uses the DNS-over-HTTPS (DoH) protocol via Cloudflare's infrastructure. This approach provides a tactical advantage: DNS queries are encrypted and masked within legitimate HTTPS traffic, making their interception and analysis more complex.


MQTT CONTROL PROTOCOL

Once the C2 address is obtained, IOCONTROL establishes an encrypted MQTT connection on port 8883. The choice of the MQTT protocol is relevant in industrial environments, where it is commonly used for legitimate IoT communications. The MQTT connection is secured via TLS and structured around a robust authentication system based on a unique GUID per infection.


DETECTION BY JIZÔ AI

The techniques employed in this malware make detection complex. Indicators of compromise are now known and can be used by an EDR (Endpoint Detection and Response) on infected machines. However, for devices equipped with low-capacity CPUs, deploying a sophisticated EDR presents cost and administration challenges.

This limitation is inherent to IoT devices. Detecting IOCONTROL and its successors is more feasible with an NDR (Network Detection and Response) placed on network hubs. The NDR installed at these points can observe traffic to and from all IoT devices.

New attack techniques derived from IOCONTROL do not leave definitive signature-based traces until researchers perform detailed virus analysis. This is where the combination of pattern-based and behavioral detection becomes necessary. Patterns are tied to addresses, ports, and frame headers. More precisely, changes in frame size, frequency, temporal exchange variations, and other parameters are detected by Jizô AI’s engine, raising alerts during the earliest infections.

This confirms that protecting IoT devices is simpler to deploy, more proactive, and more precise with Jizô AI.