S1165 FrostyGoop
FrostyGoop is a Windows-based binary written in Golang that allows for interaction with industrial control system (ICS) equipment via Modbus TCP over port 502. FrostyGoop allows for reading and writing data to holding registers on targeted devices, manipulating the operation of systems for malicious purposes. FrostyGoop is associated with the FrostyGoop Incident in Ukraine.12
| Item | Value |
|---|---|
| ID | S1165 |
| Associated Names | BUSTLEBERM |
| Type | MALWARE |
| Version | 1.0 |
| Created | 20 November 2024 |
| Last Modified | 20 November 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| BUSTLEBERM | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| ics | T0807 | Command-Line Interface | FrostyGoop is compiled for Windows systems and leverages a Windows-based command line interface.1 Modbus interaction functionality is based off a publicly available Github repository for command line input.2 |
| ics | T0885 | Commonly Used Port | FrostyGoop communicates using the Modbus protocol over the standard port of TCP 502.1 |
| ics | T0836 | Modify Parameter | FrostyGoop allows for the modification of system settings by reading and writing to registers via Modbus commands.12 |
| ics | T0801 | Monitor Process State | FrostyGoop can read data from holding registers via Modbus communication.1 |
| ics | T0869 | Standard Application Layer Protocol | FrostyGoop utilizes the Modbus protocol for transmitting commands to victim devices.1 |
References
-
Mark Graham, Carolyn Ahlers, Kyle O’Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024. ↩↩↩↩↩↩
-
Nozomi Networks Labs. (2024, July 24). Cyberwarfare Targeting OT: Protecting Against FrostyGoop/BUSTLEBERM Malware. Retrieved November 20, 2024. ↩↩↩↩