The Story of KurtLar_SCADA: From Malware Discovery to Victim Disclosure
This talk will discuss the discovery, analysis, and resulting victim notifications related to the KurtLar_SCADA malware. KurtLar_SCADA is a tool designed to identify poorly secured, Internet-exposed VNC servers. By inputting a list of IP addresses into the tool, it checks whether authentication is required and, if so, attempts to brute force the authentication using a small list of hardcoded credentials. The tool is being sold in a Telegram channel that has over 3,500 members. The channel promotes pro-Iranian and anti-Western viewpoints and even offers discounts for individuals targeting the United States or Israel. The developer of the malware markets it as a means to remotely access Human- Machine Interfaces (HMIs) that run VNC servers. The actors share multiple screenshots (7) in the Telegram channel that appear to be taken from HMIs, demonstrating the tool's effectiveness and utility. The channel also provides a course on how to find exposed industrial devices. Additionally, the administrator offers exploits, database dumps, initial access to specific organizations, denial-of- service tools, and access to a VIP channel containing more courses for sale. From identifying information in the screenshot, we were able to inform three victims of their exposed and potentially compromised assets.
This talk will cover several topics:
• Proactive threat hunting in VirusTotal
• The importance of partnerships and community-oriented organizations like OT-CERT and CISA (for tracking down and alerting victims).
• In-depth analysis of the malware
• Threat mitigations.
