Monday, December 18, 2017

ICS-CERT Publishes Malware Report on ‘HatMan’ (TRITON or TRISIS)

Today the DHS published their malware report on HatMan the recently reported attack on a safety-instrumented-system. This is essentially the same information that was provided in the earlier FireEye and Dragos report. ICS-CERT did, however, include a link to the Schneider advisory on the malware.

The ICS-CERT report makes an interesting observation (pg 1):

“This report will discuss the malware as though it is entirely functional. We are aware that the malware may currently have bugs—due to descriptions of how it is behaving—that prevent it from effecting its desired changes. Though this report presents a “worst case scenario,” it should be considered accurate. We have no reason to suspect that the malware’s creators have not fixed its bugs, or that a functional copy does not exist somewhere that we have not yet seen.”

The report provides a copy of a Yara Rule for the detection of the three components of the HatMan malware. ICS-CERT prefaces this with the following warning:

“In addition, a YARA rule that matches the three binary components—trilog.exe, inject.bin, and imain.bin—is included as an appendix. This is not necessarily a reliable method for detection, as the files may or may not be present on any workstation, and such a rule cannot be used on a Triconex controller itself; however, it could be useful for detection with agent-based detection systems or for scanning for artifacts.”

No comments:

/* Use this with templates/template-twocol.html */