SYMBOLCOMMON_NAMEaka. SYNONYMS
win.triton (Back to overview)

Triton

aka: Trisis, HatMan

Actor(s): XENOTIME


Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.

References
2020-10-23U.S. Department of the TreasuryU.S. Department of the Treasury
@online{treasury:20201023:treasury:c08bd19, author = {U.S. Department of the Treasury}, title = {{Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware}}, date = {2020-10-23}, organization = {U.S. Department of the Treasury}, url = {https://home.treasury.gov/news/press-releases/sm1162}, language = {English}, urldate = {2020-10-26} } Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware
Triton
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2019-04-10Github (ICSrepo)Marcin Dudek
@online{dudek:20190410:trisis:480b199, author = {Marcin Dudek}, title = {{TRISIS / TRITON / HatMan Malware Repository}}, date = {2019-04-10}, organization = {Github (ICSrepo)}, url = {https://github.com/ICSrepo/TRISIS-TRITON-HATMAN}, language = {English}, urldate = {2019-07-09} } TRISIS / TRITON / HatMan Malware Repository
Triton
2019-03-07E&E NewsBlake Sobczak
@online{sobczak:20190307:inside:9bae24e, author = {Blake Sobczak}, title = {{The inside story of the world's most dangerous malware}}, date = {2019-03-07}, organization = {E&E News}, url = {https://www.eenews.net/stories/1060123327/}, language = {English}, urldate = {2020-04-07} } The inside story of the world's most dangerous malware
Triton
2018-10-23FireEyeFireEye Intelligence
@online{intelligence:20181023:triton:95a881f, author = {FireEye Intelligence}, title = {{TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers}}, date = {2018-10-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html}, language = {English}, urldate = {2019-12-20} } TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
Triton
2018-10-01SANS Cyber SummitAndrea Carcano
@techreport{carcano:20181001:triton:7863291, author = {Andrea Carcano}, title = {{TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever}}, date = {2018-10-01}, institution = {SANS Cyber Summit}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf}, language = {English}, urldate = {2020-01-20} } TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever
Triton
2018-01-16Midnight Blue LabsJos Wetzels, Carlo Meijer
@online{wetzels:20180116:analyzing:aac7e2f, author = {Jos Wetzels and Carlo Meijer}, title = {{Analyzing the TRITON industrial malware}}, date = {2018-01-16}, organization = {Midnight Blue Labs}, url = {https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware}, language = {English}, urldate = {2020-01-07} } Analyzing the TRITON industrial malware
Triton
2017-12-18NCCICNCCIC
@techreport{nccic:20171218:malware:42d9be2, author = {NCCIC}, title = {{Malware Analysis Report on Hatman}}, date = {2017-12-18}, institution = {NCCIC}, url = {https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf}, language = {English}, urldate = {2020-01-09} } Malware Analysis Report on Hatman
Triton
2017-12-14FireEyeBlake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer
@online{johnson:20171214:attackers:6b0be76, author = {Blake Johnson and Dan Caban and Marina Krotofil and Dan Scali and Nathan Brubaker and Christopher Glyer}, title = {{Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure}}, date = {2017-12-14}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html}, language = {English}, urldate = {2019-12-20} } Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
Triton TEMP.Veles
2017-12-13DragosDragos
@techreport{dragos:20171213:trisis:43675c1, author = {Dragos}, title = {{TRISIS Malware: Analysis of Safety System Targeted Malware}}, date = {2017-12-13}, institution = {Dragos}, url = {https://dragos.com/blog/trisis/TRISIS-01.pdf}, language = {English}, urldate = {2020-01-13} } TRISIS Malware: Analysis of Safety System Targeted Malware
Triton
Yara Rules
[TLP:WHITE] win_triton_w0 (20180123 | TRITON framework recovered during Mandiant ICS incident response)
rule win_triton_w0 {
    meta:
        author = "nicholas.carr @itsreallynick"
        md5 = "0face841f7b2953e7c29c064d6886523"
        description = "TRITON framework recovered during Mandiant ICS incident response"
        reference = "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton"
        malpedia_version = "20180123"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $python_compiled = ".pyc" nocase ascii wide
        $python_module_01 = "__module__" nocase ascii wide
        $python_module_02 = "<module>" nocase ascii wide
        $python_script_01 = "import Ts" nocase ascii wide
        $python_script_02 = "def ts_" nocase ascii wide  

        $py_cnames_01 = "TS_cnames.py" nocase ascii wide
        $py_cnames_02 = "TRICON" nocase ascii wide
        $py_cnames_03 = "TriStation " nocase ascii wide
        $py_cnames_04 = " chassis " nocase ascii wide  

        $py_tslibs_01 = "GetCpStatus" nocase ascii wide
        $py_tslibs_02 = "ts_" ascii wide
        $py_tslibs_03 = " sequence" nocase ascii wide
        $py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide
        $py_tslibs_05 = /module\s?version/ nocase ascii wide
        $py_tslibs_06 = "bad " nocase ascii wide
        $py_tslibs_07 = "prog_cnt" nocase ascii wide  

        $py_tsbase_01 = "TsBase.py" nocase ascii wide
        $py_tsbase_02 = ".TsBase(" nocase ascii wide 

        $py_tshi_01 = "TsHi.py" nocase ascii wide
        $py_tshi_02 = "keystate" nocase ascii wide
        $py_tshi_03 = "GetProjectInfo" nocase ascii wide
        $py_tshi_04 = "GetProgramTable" nocase ascii wide
        $py_tshi_05 = "SafeAppendProgramMod" nocase ascii wide
        $py_tshi_06 = ".TsHi(" ascii nocase wide  

        $py_tslow_01 = "TsLow.py" nocase ascii wide
        $py_tslow_02 = "print_last_error" ascii nocase wide
        $py_tslow_03 = ".TsLow(" ascii nocase wide
        $py_tslow_04 = "tcm_" ascii wide
        $py_tslow_05 = " TCM found" nocase ascii wide  

        $py_crc_01 = "crc.pyc" nocase ascii wide
        $py_crc_02 = "CRC16_MODBUS" ascii wide
        $py_crc_03 = "Kotov Alaxander" nocase ascii wide
        $py_crc_04 = "CRC_CCITT_XMODEM" ascii wide
        $py_crc_05 = "crc16ret" ascii wide
        $py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide
        $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide  

        $py_sh_01 = "sh.pyc" nocase ascii wide  

        $py_keyword_01 = " FAILURE" ascii wide
        $py_keyword_02 = "symbol table" nocase ascii wide  

        $py_TRIDENT_01 = "inject.bin" ascii nocase wide
        $py_TRIDENT_02 = "imain.bin" ascii nocase wide  

    condition:
        2 of ($python_*) and 7 of ($py_*) and filesize < 3MB
}
Download all Yara Rules