{ "Event": { "analysis": "0", "date": "2024-12-10", "extends_uuid": "", "info": "[Threat Intel] Inside a New OT/IoT Cyberweapon: IOCONTROL", "protected": false, "publish_timestamp": "1772407305", "published": true, "threat_level_id": "2", "timestamp": "1772407302", "uuid": "5ef558ec-a56f-4d88-8e98-fc5d58f4ca6a", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"elf.iocontrol\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"iran\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Israel\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772364091", "to_ids": false, "type": "link", "uuid": "6eb4c3bd-058c-4fee-bb10-95ab6229d1ad", "value": "https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772364176", "to_ids": false, "type": "link", "uuid": "f1153c36-3f46-46d6-845d-86a4ce404bf3", "value": "https://web-assets.claroty.com/resource-downloads/team82_iocontrol.pdf" }, { "category": "Network activity", "comment": "C2 from IOCONTROL.", "deleted": false, "disable_correlation": false, "timestamp": "1772394368", "to_ids": true, "type": "ip-dst", "uuid": "c0febc17-82af-4a0f-9816-71bf306f0df7", "value": "159.100.6.69", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Domain found in IOCONTROL. Communication over MQTTs on port 8883.", "deleted": false, "disable_correlation": false, "timestamp": "1772394390", "to_ids": true, "type": "hostname", "uuid": "6eb70c74-8eda-4ef6-8937-12f8c6d56c89", "value": "uuokhhfsdlk.tylarion867mino.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Older DNS records, from around 2023, show that the domain ocferda[.]com was in use and pointed to the same IP address of the C2 159[.]100[.]6[.]69", "deleted": false, "disable_correlation": false, "timestamp": "1772394411", "to_ids": true, "type": "domain", "uuid": "727efa0f-2e03-45e4-9997-edd18ef4768b", "value": "ocferda.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "AES-256- CBC key to decrypt the config No sample in VT\r\nLast check:02/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772394146", "to_ids": true, "type": "sha256", "uuid": "cb91f934-4477-4d1e-a65b-3124eb2186e8", "value": "22e70a3056aa209e90dc5a354edda2c1c3b88f1e4720dc6a090c4617a919447e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "AES-256- CBC key IV decrypt the config No sample in VT\r\nLast check:02/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772394147", "to_ids": true, "type": "md5", "uuid": "088418bb-55f0-4873-add9-65f4a1d42262", "value": "1c3b88f1e4720dc6a090c4617a919447", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772394432", "uuid": "6d468eec-2a34-4fd1-b620-1d490a6bb2f9", "Attribute": [ { "category": "Payload delivery", "comment": "IOCONTROL Initial sample", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772394432", "to_ids": true, "type": "md5", "uuid": "591089a6-45bb-4f51-ab6a-7e095a12ced6", "value": "c92e2655d115368f92e7b7de5803b7bc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOCONTROL Initial sample", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772394145", "to_ids": true, "type": "sha1", "uuid": "cb30e905-e544-4c4f-9033-65eb5b1c4441", "value": "366e435a1ea0f597deb6ebe7c0c5acdb6e8b33eb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOCONTROL Initial sample", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772394145", "to_ids": true, "type": "sha256", "uuid": "541093a5-9618-4754-90b0-b248b8fedf04", "value": "1b39f9b2b96a6586c4a11ab2fdbff8fdf16ba5a0ac7603149023d73f33b84498", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772393237", "to_ids": true, "type": "ssdeep", "uuid": "ef293afe-7da9-4318-8508-80d9c8b3809c", "value": "384:PTlCwsCROIIuZkdKIf5C+UCOP32ZU4UKa:4wsCR010C832ZHUKa" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772393237", "to_ids": false, "type": "size-in-bytes", "uuid": "546e5a5d-c18d-43d6-8834-0d206d57c84f", "value": "16208" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772393237", "to_ids": true, "type": "vhash", "uuid": "008b1e4e-aab7-44f5-91fd-971c3dd94293", "value": "11514985d20f0caa4891de35605a94af" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772393237", "to_ids": true, "type": "filename", "uuid": "f611358a-99b3-4c5a-a37e-6ebb89fa9009", "value": "c92e2655d115368f92e7b7de5803b7bc___679136bd-a11b-4be5-9479-afbbddcf1aab.elf" }, { "category": "Other", "comment": "Checked: 02/03/2026\nLast-scan\t: 02/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772393237", "to_ids": false, "type": "text", "uuid": "a81c68fc-5f1a-492c-ad88-44c503435843", "value": "IOCONTROL Initial sample\r\nType Description: ELF\nMicrosoft: Trojan:Linux/Multiverze!rfn\nVT Total Detection:34/64\nFirst Submission:2024-01-17T14:33:07.000000+00:00\nLast Submission:2026-02-28T06:55:03.000000+00:00" } ] } ] } }