ZionSiphon is a Windows-based .NET implant disguised as SCADA_SecurityPatch_v8.4.exe that targets Israeli water and desalination infrastructure, but a critical XOR bug prevents its geographic validation from ever succeeding. The malware includes host-level persistence, privilege escalation, USB propagation logic, and sabotage-oriented strings for chlorine dosing and reverse osmosis control, yet it lacks working ICS-native execution, C2, and PLC interaction. #ZionSiphon #SCADA_SecurityPatch_v8.4.exe #Mekorot #Sorek #Hadera #Ashdod #Palmachim #Shafdan #Eilat
Keypoints
- ZionSiphon is delivered as SCADA_SecurityPatch_v8.4.exe, a PE32 Mono/.NET executable running on Windows host systems.
- The sample shows clear targeting intent against Israeli water and desalination infrastructure, including references to Mekorot, Sorek, Hadera, Ashdod, Palmachim, Shafdan, and Eilat.
- A critical XOR bug in the geographic validation logic prevents the malware from properly recognizing its intended Israeli network environment.
- The implant uses Windows host-layer tradecraft such as registry persistence, PowerShell-based elevation, masquerading as svchost.exe, and cleanup via delete.bat.
- The binary contains sabotage-oriented parameters tied to chlorine dosing and reverse osmosis pressure, but no confirmed PLC firmware interaction or vendor-specific ICS protocol implementation.
- Sandbox and reverse engineering evidence shows no meaningful C2, DNS, or HTTP activity, suggesting a pre-scripted, locally gated execution model.
- The artifact also contains ideological messaging, making it potentially as much a signaling or PSYOP-adjacent sample as an operational intrusion tool.
MITRE Techniques
- [T1547.001 ] Registry Run Keys / Startup Folder â The malware establishes persistence by creating a Run key for SYSTEMHEALTHCHECK that points to the staged payload (âpersistence through the current-user Run registry key under SYSTEMHEALTHCHECKâ).
- [T1112 ] Modify Registry â It modifies Windows registry settings to create persistence and control execution flow (âwrites a Run key under SoftwareMicrosoftWindowsCurrentVersionRunâ).
- [T1059.003 ] Windows Command Shell â It invokes cmd.exe to execute cleanup logic through batch files (âcmd.exe /c â%TEMP%delete.batââ).
- [T1070.004 ] File Deletion â It removes traces by deleting the original sample and cleanup artifacts (âself-removal processâ, âmarking both the original sample and cleanup script for deletionâ).
- [T1070.009 ] Clear Persistence â It cleans up persistence-related artifacts when validation fails (âfrequently triggers its own cleanup routinesâ).
- [T1082 ] System Information Discovery â It collects host and environment data such as OS and system characteristics (âgethostnameâ, âRtlGetVersionâ, âGlobalMemoryStatusExâ).
- [T1083 ] File and Directory Discovery â It checks for water-sector configuration files and directories to validate the environment (âC:ChlorineControl.datâ, âC:Program FilesDesalinationâ).
- [T1480 ] Execution Guardrails â It restricts execution to specific geographic and environmental conditions (ârestricted to IL rangesâ, âTarget not matchedâ).
- [T1497.001 ] Virtualization/Sandbox Evasion â It checks for sandbox and VM indicators such as VBoxGuest and OOBEINPROGRESS (âvboxguestadditionsâ, âVBoxGuestâ).
- [T1622 ] Debugger Evasion â It includes anti-analysis checks to detect debugging conditions (âIsDebuggerPresentâ).
- [T1134 ] Access Token Manipulation â It attempts elevation through RunAs/administrator execution (âStart-Process -FilePath ⌠-Verb RunAsâ).
- [T1106 ] Native API â It relies on low-level Windows APIs for discovery and environment checks (âNtQuerySystemInformationâ, âOpenProcessTokenâ).
- [T1564.003 ] Hidden Window â It uses CreateNoWindow during execution to reduce visibility (âCreateNoWindowâ).
- [T1055 ] Process Injection â Mentioned in the reportâs MITRE-relevant behavior list, though the article does not provide confirmed operational detail (âProcess Injectionâ).
- [T1055.002 ] Portable Executable Injection â Mentioned as a relevant behavior in the report, but not demonstrated with a confirmed in-process target (âPortable Executable Injectionâ).
- [T1105 ] Ingress Tool Transfer â The staged payload and removable-media propagation logic indicate transfer of the malicious tool onto target systems (âstages itself into %LOCALAPPDATA%svchost.exeâ, âCreateUSBShortcutâ).
- [T1222 ] File and Directory Permissions Modification â The sample manipulates file attributes and shortcut behavior on removable media (âSetAttributesâ, âicon spoofing via shell32.dll,4â).
Indicators of Compromise
- [Filename ] Primary sample and dropped artifacts â SCADA_SecurityPatch_v8.4.exe, svchost.exe, and delete.bat
- [File hashes ] Primary sample and dropped payload/cleanup artifacts â SHA256 07c3bbe60d47240df7152f72beb98ea373d9600946860bad12f7bc617a5d6f5f, MD5 9f6265271f0b04e98ed28e414a8eee91, and 2 more hashes
- [Registry key/value ] Persistence mechanism â HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value SYSTEMHEALTHCHECK pointing to %LOCALAPPDATA%svchost.exe
- [File paths ] Dropped payload, cleanup script, and validation log â %LOCALAPPDATA%svchost.exe, %TEMP%delete.bat, and %TEMP%target_verify.log
- [Configuration files ] Water-sector targeting artifacts â C:ChlorineControl.dat, C:RO_PumpSettings.ini, and 4 more files such as C:DesalConfig.ini and C:WaterTreatment.ini
- [Process and facility strings ] Targeting and masquerade indicators â Mekorot, Sorek, Hadera, Ashdod, Palmachim, Shafdan, and Eilat
- [IPv4 ranges ] Geofencing logic observed in binary/memory â 2.52.0.0â2.55.255.255, 5.28.0.0â5.29.255.255, and 2 more ranges
- [Mutex ] Single-instance control â {A1234567-B89C-40D1-ABCD-1234567890EF}
- [Industrial protocol patterns ] Partial protocol fingerprints embedded in the sample â Modbus, DNP3, and S7comm request patterns
- [USB propagation artifacts ] Removable-media infection logic â CreateUSBShortcut, .lnk files in root of removable media, and shell32.dll,4
Read more: https://dti.domaintools.com/research/threat-intelligence-report-zionsiphon