Frostygoop

FrostyGoop is a particularly malicious form of malware that specifically targets industrial control systems (ICS). It has been identified as the ninth known malware developed for this purpose, according to cybersecurity firm Dragos. Unlike its predecessors, FrostyGoop can directly interact with operational technology using Modbus TCP, a standard network protocol. This unique ability allows it to infiltrate and disrupt complex industrial operations. The past decade has seen a significant rise in computer science-centric malware, with FrostyGoop emerging as a recent prominent example. The Cyber Security Situation Center in Ukraine has reported that FrostyGoop was utilized in a cyberattack on an energy facility in Lviv, a western Ukrainian city. Notably, the malware was responsible for a disruption in heating services during an attack in January. Files associated with the FrostyGoop attacks, such as the Windows executable file for the malware itself and the JSON file named task-test.json used to test go-encrypt.exe, were discovered and analyzed. Two samples of FrostyGoop have been identified, each with their own distinct SHA256 hashes. While there is no definitive proof, potential vulnerabilities that may have been exploited by the attackers have been identified. According to the National Institute of Standards and Technology (NIST), versions 1 and 2 of the WR740N router's firmware are susceptible to a command injection vulnerability. However, no hard evidence has been found to suggest that this particular vulnerability was exploited in the July 2024 FrostyGoop attack. Regardless, the impact of the FrostyGoop ICS malware on connected operational technology systems has been significant, demonstrating the evolving threats within the cybersecurity landscape.