GRID - GIAC Response and Industrial Defense ICS Malware Analysis Questions and Answers

Question 1

An analyst performs static analysis on a suspicious executable found on an HMI. The analysis of embedded strings reveals hardcoded byte sequences corresponding to DNP3 function code 13 (Cold Restart) and object group 70 (File Transfer). What is the MOST likely purpose of this malware?

Accepted Answer

To disrupt or manipulate the physical process by rebooting remote devices and altering device files.

Answer

The presence of a DNP3 'Cold Restart' function code strongly indicates an intent to cause a denial-of-service or disruption by rebooting field devices. [11] The 'File Transfer' function (Object Group 70) suggests the capability to upload malicious configurations, firmware, or download legitimate files for analysis or alteration. [25] Combined, these features point directly to a goal of manipulating the physical process, which is a hallmark of ICS-specific malware.

Question 2

A malware sample is suspected of targeting a specific Rockwell ControlLogix PLC. The malware does not execute its primary payload in a standard IT virtual machine sandbox. Which of the following environments would be MOST effective for dynamic analysis of the malware's full capabilities?

Accepted Answer

An isolated physical lab containing the targeted PLC model, an engineering workstation, and network monitoring tools.

Answer

ICS malware often checks for the presence of specific hardware, firmware, or proprietary protocols before executing its malicious logic. A standard IT sandbox will lack these components, causing the malware to remain dormant. [21] The most effective analysis environment is an isolated physical lab that replicates the target environment with the actual PLC hardware, allowing the analyst to safely execute the malware and observe its interactions with the controller and its use of industrial protocols. [24]

Question 3

During malware analysis, an investigator discovers a file with a '.ACD' extension being staged on a compromised engineering workstation. Why is this finding particularly significant in an ICS environment?

Accepted Answer

It is a project file for Rockwell Studio 5000, indicating the attacker is modifying or crafting PLC logic. [32]

Answer

The '.ACD' file extension is used for project files by Rockwell's RSLogix 5000 or Studio 5000 software, which is used to program ControlLogix and CompactLogix PLCs. [32] Finding this file indicates that the attacker is not just performing reconnaissance or deploying generic malware, but is actively engaged in modifying, reverse engineering, or creating custom control logic to be downloaded to a PLC, representing a direct and sophisticated threat to the industrial process. [13]

Question 4

Which of the following is a primary objective of malware specifically designed for an Operational Technology (OT) environment, distinguishing it from most traditional IT-focused malware?

Accepted Answer

Manipulation of physical processes to cause disruption or destruction.

Answer

While IT malware typically focuses on data confidentiality (theft) or availability (ransomware) for financial gain, OT malware's primary objective is often to interact with and manipulate physical processes. [5, 8] This can lead to unsafe conditions, equipment damage, or disruption of critical infrastructure services, prioritizing impact on physical operations over data theft. [23]

Question 5

An analyst is performing dynamic analysis on a malware sample in an isolated ICS lab. They observe the malware sending a specially crafted packet to a Siemens S7 PLC, which causes the PLC to enter a 'STOP' state. The malware then begins communicating with an external IP address. This behavior is a classic example of which ICS attack technique?

Accepted Answer

A denial of control attack followed by establishing command and control (C2).

Answer

The first action—forcing the PLC into a 'STOP' state—is a 'Denial of Control' attack, as it prevents the legitimate operators from controlling the process via the PLC. The subsequent communication to an external IP address is the malware establishing a command and control (C2) channel to receive further instructions or exfiltrate data. This two-stage process is a common pattern for sophisticated ICS attacks.

(GRID) GIAC Response and Industrial Defense Practice Test

(GRID) GIAC Response and Industrial Defense Practice Test

GRID - GIAC Response and Industrial Defense ICS Malware Analysis Questions and Answers