SYMBOLCOMMON_NAMEaka. SYNONYMS
win.triton (Back to overview)

Triton

aka: Trisis, HatMan

Actor(s): XENOTIME


Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.

References
2022-07-26MandiantThibault van Geluwe de Berlaere, Jay Christiansen, Daniel Kapellmann Zafra, Ken Proska, Keith Lunden
@online{berlaere:20220726:mandiant:c1c4498, author = {Thibault van Geluwe de Berlaere and Jay Christiansen and Daniel Kapellmann Zafra and Ken Proska and Keith Lunden}, title = {{Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers}}, date = {2022-07-26}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics}, language = {English}, urldate = {2023-01-19} } Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers
Clop Industroyer MimiKatz Triton
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-03-24CISAUS-CERT
@online{uscert:20220324:alert:03a7f21, author = {US-CERT}, title = {{Alert (AA22-083A) Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector}}, date = {2022-03-24}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-083a}, language = {English}, urldate = {2022-03-25} } Alert (AA22-083A) Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector
Havex RAT Triton
2022-03-24FBIFBI
@techreport{fbi:20220324:pin:d54bbb9, author = {FBI}, title = {{PIN Number 20220324-001 TRITON Malware Remains Threat to Global Critical Infrastructure Industrial Control Systems (ICS)}}, date = {2022-03-24}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2022/220325.pdf}, language = {English}, urldate = {2022-03-25} } PIN Number 20220324-001 TRITON Malware Remains Threat to Global Critical Infrastructure Industrial Control Systems (ICS)
Triton
2021-02-11DomainToolsJoe Slowik
@online{slowik:20210211:visibility:5d2f96e, author = {Joe Slowik}, title = {{Visibility, Monitoring, and Critical Infrastructure Security}}, date = {2021-02-11}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security}, language = {English}, urldate = {2021-02-20} } Visibility, Monitoring, and Critical Infrastructure Security
Industroyer Stuxnet Triton
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-10-23U.S. Department of the TreasuryU.S. Department of the Treasury
@online{treasury:20201023:treasury:c08bd19, author = {U.S. Department of the Treasury}, title = {{Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware}}, date = {2020-10-23}, organization = {U.S. Department of the Treasury}, url = {https://home.treasury.gov/news/press-releases/sm1162}, language = {English}, urldate = {2020-10-26} } Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware
Triton
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-04-10Github (ICSrepo)Marcin Dudek
@online{dudek:20190410:trisis:480b199, author = {Marcin Dudek}, title = {{TRISIS / TRITON / HatMan Malware Repository}}, date = {2019-04-10}, organization = {Github (ICSrepo)}, url = {https://github.com/ICSrepo/TRISIS-TRITON-HATMAN}, language = {English}, urldate = {2019-07-09} } TRISIS / TRITON / HatMan Malware Repository
Triton
2019-03-07E&E NewsBlake Sobczak
@online{sobczak:20190307:inside:9bae24e, author = {Blake Sobczak}, title = {{The inside story of the world's most dangerous malware}}, date = {2019-03-07}, organization = {E&E News}, url = {https://www.eenews.net/stories/1060123327/}, language = {English}, urldate = {2020-04-07} } The inside story of the world's most dangerous malware
Triton
2018-10-23FireEyeFireEye Intelligence
@online{intelligence:20181023:triton:95a881f, author = {FireEye Intelligence}, title = {{TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers}}, date = {2018-10-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html}, language = {English}, urldate = {2019-12-20} } TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
Triton
2018-10-01SANS Cyber SummitAndrea Carcano
@techreport{carcano:20181001:triton:7863291, author = {Andrea Carcano}, title = {{TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever}}, date = {2018-10-01}, institution = {SANS Cyber Summit}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf}, language = {English}, urldate = {2020-01-20} } TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever
Triton
2018-08-08Nozomi NetworksAlessandro Di Pinto, Younes Dragoni, Andrea Carcano
@techreport{pinto:20180808:triton:7c9e25d, author = {Alessandro Di Pinto and Younes Dragoni and Andrea Carcano}, title = {{TRITON: The First ICS Cyber Attack on Safety Instrument Systems}}, date = {2018-08-08}, institution = {Nozomi Networks}, url = {https://www.nozominetworks.com//downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf}, language = {English}, urldate = {2021-09-24} } TRITON: The First ICS Cyber Attack on Safety Instrument Systems
Triton
2018-04-10NCCICNCCIC
@techreport{nccic:20180410:mar1735201:b351b8c, author = {NCCIC}, title = {{MAR-17-352-01 HatMan - Safety System Targeted Malware (Update A)}}, date = {2018-04-10}, institution = {NCCIC}, url = {https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF}, language = {English}, urldate = {2021-08-09} } MAR-17-352-01 HatMan - Safety System Targeted Malware (Update A)
Triton
2018-01-16Midnight Blue LabsJos Wetzels, Carlo Meijer
@online{wetzels:20180116:analyzing:aac7e2f, author = {Jos Wetzels and Carlo Meijer}, title = {{Analyzing the TRITON industrial malware}}, date = {2018-01-16}, organization = {Midnight Blue Labs}, url = {https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware}, language = {English}, urldate = {2020-01-07} } Analyzing the TRITON industrial malware
Triton
2017-12-18NCCICNCCIC
@techreport{nccic:20171218:malware:42d9be2, author = {NCCIC}, title = {{Malware Analysis Report on Hatman}}, date = {2017-12-18}, institution = {NCCIC}, url = {https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf}, language = {English}, urldate = {2020-01-09} } Malware Analysis Report on Hatman
Triton
2017-12-14FireEyeBlake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer
@online{johnson:20171214:attackers:6b0be76, author = {Blake Johnson and Dan Caban and Marina Krotofil and Dan Scali and Nathan Brubaker and Christopher Glyer}, title = {{Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure}}, date = {2017-12-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html}, language = {English}, urldate = {2019-12-20} } Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
Triton TEMP.Veles
2017-12-13DragosDragos
@techreport{dragos:20171213:trisis:43675c1, author = {Dragos}, title = {{TRISIS Malware: Analysis of Safety System Targeted Malware}}, date = {2017-12-13}, institution = {Dragos}, url = {https://dragos.com/blog/trisis/TRISIS-01.pdf}, language = {English}, urldate = {2020-01-13} } TRISIS Malware: Analysis of Safety System Targeted Malware
Triton
Yara Rules
[TLP:WHITE] win_triton_w0 (20180123 | TRITON framework recovered during Mandiant ICS incident response)
rule win_triton_w0 {
    meta:
        author = "nicholas.carr @itsreallynick"
        md5 = "0face841f7b2953e7c29c064d6886523"
        description = "TRITON framework recovered during Mandiant ICS incident response"
        reference = "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton"
        malpedia_version = "20180123"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $python_compiled = ".pyc" nocase ascii wide
        $python_module_01 = "__module__" nocase ascii wide
        $python_module_02 = "<module>" nocase ascii wide
        $python_script_01 = "import Ts" nocase ascii wide
        $python_script_02 = "def ts_" nocase ascii wide  

        $py_cnames_01 = "TS_cnames.py" nocase ascii wide
        $py_cnames_02 = "TRICON" nocase ascii wide
        $py_cnames_03 = "TriStation " nocase ascii wide
        $py_cnames_04 = " chassis " nocase ascii wide  

        $py_tslibs_01 = "GetCpStatus" nocase ascii wide
        $py_tslibs_02 = "ts_" ascii wide
        $py_tslibs_03 = " sequence" nocase ascii wide
        $py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide
        $py_tslibs_05 = /module\s?version/ nocase ascii wide
        $py_tslibs_06 = "bad " nocase ascii wide
        $py_tslibs_07 = "prog_cnt" nocase ascii wide  

        $py_tsbase_01 = "TsBase.py" nocase ascii wide
        $py_tsbase_02 = ".TsBase(" nocase ascii wide 

        $py_tshi_01 = "TsHi.py" nocase ascii wide
        $py_tshi_02 = "keystate" nocase ascii wide
        $py_tshi_03 = "GetProjectInfo" nocase ascii wide
        $py_tshi_04 = "GetProgramTable" nocase ascii wide
        $py_tshi_05 = "SafeAppendProgramMod" nocase ascii wide
        $py_tshi_06 = ".TsHi(" ascii nocase wide  

        $py_tslow_01 = "TsLow.py" nocase ascii wide
        $py_tslow_02 = "print_last_error" ascii nocase wide
        $py_tslow_03 = ".TsLow(" ascii nocase wide
        $py_tslow_04 = "tcm_" ascii wide
        $py_tslow_05 = " TCM found" nocase ascii wide  

        $py_crc_01 = "crc.pyc" nocase ascii wide
        $py_crc_02 = "CRC16_MODBUS" ascii wide
        $py_crc_03 = "Kotov Alaxander" nocase ascii wide
        $py_crc_04 = "CRC_CCITT_XMODEM" ascii wide
        $py_crc_05 = "crc16ret" ascii wide
        $py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide
        $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide  

        $py_sh_01 = "sh.pyc" nocase ascii wide  

        $py_keyword_01 = " FAILURE" ascii wide
        $py_keyword_02 = "symbol table" nocase ascii wide  

        $py_TRIDENT_01 = "inject.bin" ascii nocase wide
        $py_TRIDENT_02 = "imain.bin" ascii nocase wide  

    condition:
        2 of ($python_*) and 7 of ($py_*) and filesize < 3MB
}
[TLP:WHITE] win_triton_w1 (20210727 | Matches the known samples of the HatMan malware.)
rule win_triton_w1 {
    meta:
        author = "DHS/NCCIC/ICS-CERT"
        description = "Matches the known samples of the HatMan malware."
        info = "original ruleset condensed into one rule."
        source = ""
        malpedia_rule_date = "20210727"
        malpedia_hash = ""
        malpedia_version = "20210727"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton"
    strings:
        $nullsub = { ff ff 60 38 02 00 00 44 20 00 80 4e }
        $preset = { 80 00 40 3c 00 00 62 80 40 00 80 3c 40 20 03 7c
                    ?? ?? 82 40 04 00 62 80 60 00 80 3c 40 20 03 7c
                    ?? ?? 82 40 ?? ?? 42 38                         }
        $div1 = { 9a 78 56 00 }
        $div2 = { 34 12 00 00 }
        $memcpy_be = { 7c a9 03 a6 38 84 ff ff 38 63 ff ff 8c a4 00 01
                       9c a3 00 01 42 00 ff f8 4e 80 00 20             }
        $memcpy_le = { a6 03 a9 7c ff ff 84 38 ff ff 63 38 01 00 a4 8c
                       01 00 a3 9c f8 ff 00 42 20 00 80 4e             }
        $oaddr_be = { 3c 60 00 03 60 63 96 f4 4e 80 00 20 }
        $oaddr_le = { 03 00 60 3c f4 96 63 60 20 00 80 4e }
        $loadoff_be = { 80 60 00 04 48 00 ?? ?? 70 60 ff ff 28 00 00 00
                        40 82 ?? ?? 28 03 00 00 41 82 ?? ??             }
        $loadoff_le = { 04 00 60 80 ?? ?? 00 48 ff ff 60 70 00 00 00 28
                        ?? ?? 82 40 00 00 03 28 ?? ?? 82 41             }
        $mfmsr_be = { 7c 63 00 a6 }
        $mfmsr_le = { a6 00 63 7c }
        $mtmsr_be = { 7c 63 01 24 }
        $mtmsr_le = { 24 01 63 7c }
        $ocode_be = { 3c 00 00 03 60 00 a0 b0 7c 09 03 a6 4e 80 04 20 }
        $ocode_le = { 03 00 00 3c b0 a0 00 60 a6 03 09 7c 20 04 80 4e }
    condition:
        ((filesize < 350KB) and $nullsub and $preset and $div1 and $div2)
        or ((filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($oaddr_be or $oaddr_le) and ($loadoff_be or $loadoff_le) and not (filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($ocode_be or $ocode_le) and (($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le))) 
        or ((filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($ocode_be or $ocode_le) and (($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le)) and not (filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($oaddr_be or $oaddr_le) and ($loadoff_be or $loadoff_le)) 
        or ((filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($oaddr_be or $oaddr_le) and ($loadoff_be or $loadoff_le) and (filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($ocode_be or $ocode_le) and (($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le)) and $div1 and $div2)
}
Download all Yara Rules