SYMBOLCOMMON_NAMEaka. SYNONYMS
win.triton (Back to overview)

Triton

aka: Trisis, HatMan

Actor(s): XENOTIME


Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.

References
2021-02-11DomainToolsJoe Slowik
@online{slowik:20210211:visibility:5d2f96e, author = {Joe Slowik}, title = {{Visibility, Monitoring, and Critical Infrastructure Security}}, date = {2021-02-11}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security}, language = {English}, urldate = {2021-02-20} } Visibility, Monitoring, and Critical Infrastructure Security
Industroyer Stuxnet Triton
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-10-23U.S. Department of the TreasuryU.S. Department of the Treasury
@online{treasury:20201023:treasury:c08bd19, author = {U.S. Department of the Treasury}, title = {{Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware}}, date = {2020-10-23}, organization = {U.S. Department of the Treasury}, url = {https://home.treasury.gov/news/press-releases/sm1162}, language = {English}, urldate = {2020-10-26} } Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware
Triton
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2019-04-10Github (ICSrepo)Marcin Dudek
@online{dudek:20190410:trisis:480b199, author = {Marcin Dudek}, title = {{TRISIS / TRITON / HatMan Malware Repository}}, date = {2019-04-10}, organization = {Github (ICSrepo)}, url = {https://github.com/ICSrepo/TRISIS-TRITON-HATMAN}, language = {English}, urldate = {2019-07-09} } TRISIS / TRITON / HatMan Malware Repository
Triton
2019-03-07E&E NewsBlake Sobczak
@online{sobczak:20190307:inside:9bae24e, author = {Blake Sobczak}, title = {{The inside story of the world's most dangerous malware}}, date = {2019-03-07}, organization = {E&E News}, url = {https://www.eenews.net/stories/1060123327/}, language = {English}, urldate = {2020-04-07} } The inside story of the world's most dangerous malware
Triton
2018-10-23FireEyeFireEye Intelligence
@online{intelligence:20181023:triton:95a881f, author = {FireEye Intelligence}, title = {{TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers}}, date = {2018-10-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html}, language = {English}, urldate = {2019-12-20} } TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
Triton
2018-10-01SANS Cyber SummitAndrea Carcano
@techreport{carcano:20181001:triton:7863291, author = {Andrea Carcano}, title = {{TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever}}, date = {2018-10-01}, institution = {SANS Cyber Summit}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf}, language = {English}, urldate = {2020-01-20} } TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever
Triton
2018-04-10NCCICNCCIC
@techreport{nccic:20180410:mar1735201:b351b8c, author = {NCCIC}, title = {{MAR-17-352-01 HatMan - Safety System Targeted Malware (Update A)}}, date = {2018-04-10}, institution = {NCCIC}, url = {https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF}, language = {English}, urldate = {2021-08-09} } MAR-17-352-01 HatMan - Safety System Targeted Malware (Update A)
Triton
2018-01-16Midnight Blue LabsJos Wetzels, Carlo Meijer
@online{wetzels:20180116:analyzing:aac7e2f, author = {Jos Wetzels and Carlo Meijer}, title = {{Analyzing the TRITON industrial malware}}, date = {2018-01-16}, organization = {Midnight Blue Labs}, url = {https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware}, language = {English}, urldate = {2020-01-07} } Analyzing the TRITON industrial malware
Triton
2017-12-18NCCICNCCIC
@techreport{nccic:20171218:malware:42d9be2, author = {NCCIC}, title = {{Malware Analysis Report on Hatman}}, date = {2017-12-18}, institution = {NCCIC}, url = {https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf}, language = {English}, urldate = {2020-01-09} } Malware Analysis Report on Hatman
Triton
2017-12-14FireEyeBlake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer
@online{johnson:20171214:attackers:6b0be76, author = {Blake Johnson and Dan Caban and Marina Krotofil and Dan Scali and Nathan Brubaker and Christopher Glyer}, title = {{Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure}}, date = {2017-12-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html}, language = {English}, urldate = {2019-12-20} } Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
Triton TEMP.Veles
2017-12-13DragosDragos
@techreport{dragos:20171213:trisis:43675c1, author = {Dragos}, title = {{TRISIS Malware: Analysis of Safety System Targeted Malware}}, date = {2017-12-13}, institution = {Dragos}, url = {https://dragos.com/blog/trisis/TRISIS-01.pdf}, language = {English}, urldate = {2020-01-13} } TRISIS Malware: Analysis of Safety System Targeted Malware
Triton
Yara Rules
[TLP:WHITE] win_triton_w0 (20180123 | TRITON framework recovered during Mandiant ICS incident response)
rule win_triton_w0 {
    meta:
        author = "nicholas.carr @itsreallynick"
        md5 = "0face841f7b2953e7c29c064d6886523"
        description = "TRITON framework recovered during Mandiant ICS incident response"
        reference = "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton"
        malpedia_version = "20180123"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $python_compiled = ".pyc" nocase ascii wide
        $python_module_01 = "__module__" nocase ascii wide
        $python_module_02 = "<module>" nocase ascii wide
        $python_script_01 = "import Ts" nocase ascii wide
        $python_script_02 = "def ts_" nocase ascii wide  

        $py_cnames_01 = "TS_cnames.py" nocase ascii wide
        $py_cnames_02 = "TRICON" nocase ascii wide
        $py_cnames_03 = "TriStation " nocase ascii wide
        $py_cnames_04 = " chassis " nocase ascii wide  

        $py_tslibs_01 = "GetCpStatus" nocase ascii wide
        $py_tslibs_02 = "ts_" ascii wide
        $py_tslibs_03 = " sequence" nocase ascii wide
        $py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide
        $py_tslibs_05 = /module\s?version/ nocase ascii wide
        $py_tslibs_06 = "bad " nocase ascii wide
        $py_tslibs_07 = "prog_cnt" nocase ascii wide  

        $py_tsbase_01 = "TsBase.py" nocase ascii wide
        $py_tsbase_02 = ".TsBase(" nocase ascii wide 

        $py_tshi_01 = "TsHi.py" nocase ascii wide
        $py_tshi_02 = "keystate" nocase ascii wide
        $py_tshi_03 = "GetProjectInfo" nocase ascii wide
        $py_tshi_04 = "GetProgramTable" nocase ascii wide
        $py_tshi_05 = "SafeAppendProgramMod" nocase ascii wide
        $py_tshi_06 = ".TsHi(" ascii nocase wide  

        $py_tslow_01 = "TsLow.py" nocase ascii wide
        $py_tslow_02 = "print_last_error" ascii nocase wide
        $py_tslow_03 = ".TsLow(" ascii nocase wide
        $py_tslow_04 = "tcm_" ascii wide
        $py_tslow_05 = " TCM found" nocase ascii wide  

        $py_crc_01 = "crc.pyc" nocase ascii wide
        $py_crc_02 = "CRC16_MODBUS" ascii wide
        $py_crc_03 = "Kotov Alaxander" nocase ascii wide
        $py_crc_04 = "CRC_CCITT_XMODEM" ascii wide
        $py_crc_05 = "crc16ret" ascii wide
        $py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide
        $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide  

        $py_sh_01 = "sh.pyc" nocase ascii wide  

        $py_keyword_01 = " FAILURE" ascii wide
        $py_keyword_02 = "symbol table" nocase ascii wide  

        $py_TRIDENT_01 = "inject.bin" ascii nocase wide
        $py_TRIDENT_02 = "imain.bin" ascii nocase wide  

    condition:
        2 of ($python_*) and 7 of ($py_*) and filesize < 3MB
}
[TLP:WHITE] win_triton_w1 (20210727 | Matches the known samples of the HatMan malware.)
rule win_triton_w1 {
    meta:
        author = "DHS/NCCIC/ICS-CERT"
        description = "Matches the known samples of the HatMan malware."
        info = "original ruleset condensed into one rule."
        source = ""
        malpedia_rule_date = "20210727"
        malpedia_hash = ""
        malpedia_version = "20210727"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton"
    strings:
        $nullsub = { ff ff 60 38 02 00 00 44 20 00 80 4e }
        $preset = { 80 00 40 3c 00 00 62 80 40 00 80 3c 40 20 03 7c
                    ?? ?? 82 40 04 00 62 80 60 00 80 3c 40 20 03 7c
                    ?? ?? 82 40 ?? ?? 42 38                         }
        $div1 = { 9a 78 56 00 }
        $div2 = { 34 12 00 00 }
        $memcpy_be = { 7c a9 03 a6 38 84 ff ff 38 63 ff ff 8c a4 00 01
                       9c a3 00 01 42 00 ff f8 4e 80 00 20             }
        $memcpy_le = { a6 03 a9 7c ff ff 84 38 ff ff 63 38 01 00 a4 8c
                       01 00 a3 9c f8 ff 00 42 20 00 80 4e             }
        $oaddr_be = { 3c 60 00 03 60 63 96 f4 4e 80 00 20 }
        $oaddr_le = { 03 00 60 3c f4 96 63 60 20 00 80 4e }
        $loadoff_be = { 80 60 00 04 48 00 ?? ?? 70 60 ff ff 28 00 00 00
                        40 82 ?? ?? 28 03 00 00 41 82 ?? ??             }
        $loadoff_le = { 04 00 60 80 ?? ?? 00 48 ff ff 60 70 00 00 00 28
                        ?? ?? 82 40 00 00 03 28 ?? ?? 82 41             }
        $mfmsr_be = { 7c 63 00 a6 }
        $mfmsr_le = { a6 00 63 7c }
        $mtmsr_be = { 7c 63 01 24 }
        $mtmsr_le = { 24 01 63 7c }
        $ocode_be = { 3c 00 00 03 60 00 a0 b0 7c 09 03 a6 4e 80 04 20 }
        $ocode_le = { 03 00 00 3c b0 a0 00 60 a6 03 09 7c 20 04 80 4e }
    condition:
        ((filesize < 350KB) and $nullsub and $preset and $div1 and $div2)
        or ((filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($oaddr_be or $oaddr_le) and ($loadoff_be or $loadoff_le) and not (filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($ocode_be or $ocode_le) and (($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le))) 
        or ((filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($ocode_be or $ocode_le) and (($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le)) and not (filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($oaddr_be or $oaddr_le) and ($loadoff_be or $loadoff_le)) 
        or ((filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($oaddr_be or $oaddr_le) and ($loadoff_be or $loadoff_le) and (filesize < 350KB) and ($memcpy_be or $memcpy_le) and ($ocode_be or $ocode_le) and (($mfmsr_be and $mtmsr_be) or ($mfmsr_le and $mtmsr_le)) and $div1 and $div2)
}
Download all Yara Rules