SYMBOLCOMMON_NAMEaka. SYNONYMS
win.triton (Back to overview)

Triton

aka: Trisis, HatMan

Actor(s): XENOTIME


Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.

References
2022-07-26MandiantDaniel Kapellmann Zafra, Jay Christiansen, Keith Lunden, Ken Proska, Thibault van Geluwe de Berlaere
Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers
Clop Industroyer MimiKatz Triton
2022-04-20CISACISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-04-20CISAAustralian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), CISA, FBI, Government Communications Security Bureau, National Crime Agency (NCA), NCSC UK, NSA
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-03-24FBIFBI
PIN Number 20220324-001 TRITON Malware Remains Threat to Global Critical Infrastructure Industrial Control Systems (ICS)
Triton
2022-03-24CISAUS-CERT
Alert (AA22-083A) Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector
Havex RAT Triton
2021-02-11DomainToolsJoe Slowik
Visibility, Monitoring, and Critical Infrastructure Security
Industroyer Stuxnet Triton
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-10-23U.S. Department of the TreasuryU.S. Department of the Treasury
Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware
Triton
2019-08-01Kaspersky LabsGReAT
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-04-10Github (ICSrepo)Marcin Dudek
TRISIS / TRITON / HatMan Malware Repository
Triton
2019-03-07E&E NewsBlake Sobczak
The inside story of the world's most dangerous malware
Triton
2018-10-23FireEyeFireEye Intelligence
TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
Triton
2018-10-01SANS Cyber SummitAndrea Carcano
TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever
Triton
2018-08-08Nozomi NetworksAlessandro Di Pinto, Andrea Carcano, Younes Dragoni
TRITON: The First ICS Cyber Attack on Safety Instrument Systems
Triton
2018-04-10NCCICNCCIC
MAR-17-352-01 HatMan - Safety System Targeted Malware (Update A)
Triton
2018-01-16Midnight Blue LabsCarlo Meijer, Jos Wetzels
Analyzing the TRITON industrial malware
Triton
2017-12-18NCCICNCCIC
Malware Analysis Report on Hatman
Triton
2017-12-14FireEyeBlake Johnson, Christopher Glyer, Dan Caban, Dan Scali, Marina Krotofil, Nathan Brubaker
Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
Triton TEMP.Veles
2017-12-13DragosDragos
TRISIS Malware: Analysis of Safety System Targeted Malware
Triton
Yara Rules
[TLP:WHITE] win_triton_w0 (20180123 | TRITON framework recovered during Mandiant ICS incident response)
rule win_triton_w0 {
    meta:
        author = "nicholas.carr @itsreallynick"
        md5 = "0face841f7b2953e7c29c064d6886523"
        description = "TRITON framework recovered during Mandiant ICS incident response"
        reference = "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton"
        malpedia_version = "20180123"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $python_compiled = ".pyc" nocase ascii wide
        $python_module_01 = "__module__" nocase ascii wide
        $python_module_02 = "<module>" nocase ascii wide
        $python_script_01 = "import Ts" nocase ascii wide
        $python_script_02 = "def ts_" nocase ascii wide  

        $py_cnames_01 = "TS_cnames.py" nocase ascii wide
        $py_cnames_02 = "TRICON" nocase ascii wide
        $py_cnames_03 = "TriStation " nocase ascii wide
        $py_cnames_04 = " chassis " nocase ascii wide  

        $py_tslibs_01 = "GetCpStatus" nocase ascii wide
        $py_tslibs_02 = "ts_" ascii wide
        $py_tslibs_03 = " sequence" nocase ascii wide
        $py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide
        $py_tslibs_05 = /module\s?version/ nocase ascii wide
        $py_tslibs_06 = "bad " nocase ascii wide
        $py_tslibs_07 = "prog_cnt" nocase ascii wide  

        $py_tsbase_01 = "TsBase.py" nocase ascii wide
        $py_tsbase_02 = ".TsBase(" nocase ascii wide 

        $py_tshi_01 = "TsHi.py" nocase ascii wide
        $py_tshi_02 = "keystate" nocase ascii wide
        $py_tshi_03 = "GetProjectInfo" nocase ascii wide
        $py_tshi_04 = "GetProgramTable" nocase ascii wide
        $py_tshi_05 = "SafeAppendProgramMod" nocase ascii wide
        $py_tshi_06 = ".TsHi(" ascii nocase wide  

        $py_tslow_01 = "TsLow.py" nocase ascii wide
        $py_tslow_02 = "print_last_error" ascii nocase wide
        $py_tslow_03 = ".TsLow(" ascii nocase wide
        $py_tslow_04 = "tcm_" ascii wide
        $py_tslow_05 = " TCM found" nocase ascii wide  

        $py_crc_01 = "crc.pyc" nocase ascii wide
        $py_crc_02 = "CRC16_MODBUS" ascii wide
        $py_crc_03 = "Kotov Alaxander" nocase ascii wide
        $py_crc_04 = "CRC_CCITT_XMODEM" ascii wide
        $py_crc_05 = "crc16ret" ascii wide
        $py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide
        $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide  

        $py_sh_01 = "sh.pyc" nocase ascii wide  

        $py_keyword_01 = " FAILURE" ascii wide
        $py_keyword_02 = "symbol table" nocase ascii wide  

        $py_TRIDENT_01 = "inject.bin" ascii nocase wide
        $py_TRIDENT_02 = "imain.bin" ascii nocase wide  

    condition:
        2 of ($python_*) and 7 of ($py_*) and filesize < 3MB
}
[TLP:WHITE] win_triton_w1 (20210727 | Matches the known samples of the HatMan malware.)
rule win_triton_w1 {
    meta:
        author = "DHS/NCCIC/ICS-CERT"
        description = "Matches the known samples of the HatMan malware."
        info = "original ruleset condensed into one rule."
        source = ""
        malpedia_rule_date = "20210727"
        malpedia_hash = ""
        malpedia_version = "20210727"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton"
    strings:
        $nullsub = { ff ff 60 38 02 00 00 44 20 00 80 4e }
        $preset = { 80 00 40 3c 00 00 62 80 40 00 80 3c 40 20 03 7c
                    ?? ?? 82 40 04 00 62 80 60 00 80 3c 40 20 03 7c
                    ?? ?? 82 40 ?? ?? 42 38                         }
        $div1 = { 9a 78 56 00 }
        $div2 = { 34 12 00 00 }
        $memcpy_be = { 7c a9 03 a6 38 84 ff ff 38 63 ff ff 8c a4 00 01
                       9c a3 00 01 42 00 ff f8 4e 80 00 20             }
        $memcpy_le = { a6 03 a9 7c ff ff 84 38 ff ff 63 38 01 00 a4 8c
                       01 00 a3 9c f8 ff 00 42 20 00 80 4e             }
        $oaddr_be = { 3c 60 00 03 60 63 96 f4 4e 80 00 20 }
        $oaddr_le = { 03 00 60 3c f4 96 63 60 20 00 80 4e }
        $loadoff_be = { 80 60 00 04 48 00 ?? ?? 70 60 ff ff 28 00 00 00
                        40 82 ?? ?? 28 03 00 00 41 82 ?? ??             }
        $loadoff_le = { 04 00 60 80 ?? ?? 00 48 ff ff 60 70 00 00 00 28
                        ?? ?? 82 40 00 00 03 28 ?? ?? 82 41             }
        $mfmsr_be = { 7c 63 00 a6 }
        $mfmsr_le = { a6 00 63 7c }
        $mtmsr_be = { 7c 63 01 24 }
        $mtmsr_le = { 24 01 63 7c }
        $ocode_be = { 3c 00 00 03 60 00 a0 b0 7c 09 03 a6 4e 80 04 20 }
        $ocode_le = { 03 00 00 3c b0 a0 00 60 a6 03 09 7c 20 04 80 4e }
    condition:
        ((filesize < 350KB) and $nullsub and $preset and $div1 and $div2)
        or ((filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($oaddr_be or $oaddr_le) and ($loadoff_be or $loadoff_le) and not (filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($ocode_be or $ocode_le) and (($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le))) 
        or ((filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($ocode_be or $ocode_le) and (($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le)) and not (filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($oaddr_be or $oaddr_le) and ($loadoff_be or $loadoff_le)) 
        or ((filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($oaddr_be or $oaddr_le) and ($loadoff_be or $loadoff_le) and (filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($ocode_be or $ocode_le) and (($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le)) and $div1 and $div2)
}
Download all Yara Rules