S1006 PLC-Blaster
PLC-Blaster is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules.
Item |
Value |
ID |
S1006 |
Associated Names |
|
Type |
MALWARE |
Version |
1.0 |
Created |
26 March 2019 |
Last Modified |
12 October 2022 |
Navigation Layer |
View In ATT&CK® Navigator |
Techniques Used
Domain |
ID |
Name |
Use |
ics |
T0858 |
Change Operating Mode |
PLC-Blaster stops the execution of the user program on the target to enable the transfer of its own code. The worm then copies itself to the target and subsequently starts the target PLC again. |
ics |
T0814 |
Denial of Service |
The execution on the PLC can be stopped by violating the cycle time limit. The PLC-Blaster implements an endless loop triggering an error condition within the PLC with the impact of a DoS. |
ics |
T0835 |
Manipulate I/O Image |
PLC-Blaster may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified. |
ics |
T0821 |
Modify Controller Tasking |
PLC-Blaster‘s code is stored in OB9999. The original code on the target is untouched. The OB is automatically detected by the PLC and executed. |
ics |
T0889 |
Modify Program |
PLC-Blaster copies itself to various Program Organization Units (POU) on the target device. The POUs include the Data Block, Function, and Function Block. |
ics |
T0834 |
Native API |
PLC-Blaster uses the system function blocks TCON and TDISCON to initiate and destroy TCP connections to arbitrary systems. Buffers may be sent and received on these connections with TRCV und TSEND system function blocks. |
ics |
T0843 |
Program Download |
PLC-Blaster utilizes the PLC communication and management API to load executable Program Organization Units. |
ics |
T0846 |
Remote System Discovery |
PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. |
References