Skip to content

S1006 PLC-Blaster

PLC-Blaster is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules. 2 1

Item Value
ID S1006
Associated Names
Type MALWARE
Version 1.0
Created 26 March 2019
Last Modified 12 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
ics T0858 Change Operating Mode PLC-Blaster stops the execution of the user program on the target to enable the transfer of its own code. The worm then copies itself to the target and subsequently starts the target PLC again. 2
ics T0814 Denial of Service The execution on the PLC can be stopped by violating the cycle time limit. The PLC-Blaster implements an endless loop triggering an error condition within the PLC with the impact of a DoS. 2
ics T0835 Manipulate I/O Image PLC-Blaster may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified. 2
ics T0821 Modify Controller Tasking PLC-Blaster‘s code is stored in OB9999. The original code on the target is untouched. The OB is automatically detected by the PLC and executed. 2
ics T0889 Modify Program PLC-Blaster copies itself to various Program Organization Units (POU) on the target device. The POUs include the Data Block, Function, and Function Block. 2
ics T0834 Native API PLC-Blaster uses the system function blocks TCON and TDISCON to initiate and destroy TCP connections to arbitrary systems. Buffers may be sent and received on these connections with TRCV und TSEND system function blocks. 2
ics T0843 Program Download PLC-Blaster utilizes the PLC communication and management API to load executable Program Organization Units. 2
ics T0846 Remote System Discovery PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. 2

References