A sophisticated Linux-based backdoor dubbed “OrpaCrab” has emerged as a significant threat to operational technology (OT) systems, particularly those managing gas station infrastructure.

Security researchers discovered the malware after it was uploaded to VirusTotal in January 2024 from the United States, marking a concerning development in industrial cybersecurity.

The backdoor specifically targets systems associated with ORPAK, a company involved in gas stations and oil transportation infrastructure.

The malware was extracted from a Gasboy fuel management system that had previously been compromised by the CyberAv3ngers hacking group, which has been previously linked to cyberattacks exploiting Unitronics PLCs to breach water systems.

Embedded within Gasboy’s Payment Terminal (OrPT), the backdoor provides attackers with alarming capabilities to potentially control fuel services and extract sensitive financial information from customers.

Kaspersky researchers noted this attack as part of a troubling trend where threat actors target OT systems without implementing specialized OT-specific functionality.

Instead, they integrate support for communication protocols already used in legitimate traffic, making detection particularly challenging.

This approach represents an evolution in attack methodologies that industrial security teams must urgently address.

OrpaCrab exemplifies how attackers can compromise critical infrastructure without deep knowledge of industrial protocols, instead leveraging common networking standards to hide malicious traffic within legitimate communications.

The potential impact extends beyond data theft to possible service disruption at affected facilities, raising concerns about physical safety implications in industrial environments.

Technical Communication Mechanism

The technical sophistication of OrpaCrab is particularly evident in its communication strategy.

The backdoor leverages the MQTT (Message Queuing Telemetry Transport) protocol for command and control (C2) communications—a protocol commonly used in IoT and industrial environments.

This design choice allows the malware to blend its traffic with legitimate operational messages, significantly complicating detection efforts.

OrpaCrab employs three main MQTT topics to facilitate its operations: one for uploading initial device information, another for receiving instructions from its controllers, and a third for returning command execution results.

Communication with its C2 server is further obscured using AES-256-CBC encryption to protect configuration information.

Additionally, the backdoor utilizes DNS over HTTPS (DoH) to resolve its C2 domain, effectively circumventing traditional DNS monitoring that might otherwise flag suspicious connections.

Once established on a system, OrpaCrab maintains persistence through an autostart script in “/etc/rc3.d/”, ensuring the backdoor remains operational across system reboots.

The malware’s capabilities include arbitrary command execution, self-removal when detection is imminent, and dynamic reconfiguration of its MQTT broker settings to adapt to changing security landscapes.