Today the DHS published their malware
report on HatMan the recently
reported attack on a safety-instrumented-system. This is essentially the
same information that was provided in the earlier FireEye and Dragos report.
ICS-CERT did, however, include a link to the Schneider
advisory on the malware.
The ICS-CERT report makes an interesting observation (pg 1):
“This report will discuss the
malware as though it is entirely functional. We are aware that the malware may
currently have bugs—due to descriptions of how it is behaving—that prevent it
from effecting its desired changes. Though this report presents a “worst case
scenario,” it should be considered accurate. We have no reason to suspect that
the malware’s creators have not fixed its bugs, or that a functional copy does
not exist somewhere that we have not yet seen.”
The report provides a copy of a Yara Rule for the detection
of the three components of the HatMan malware. ICS-CERT prefaces this with the
following warning:
“In addition, a YARA rule that
matches the three binary components—trilog.exe, inject.bin, and imain.bin—is
included as an appendix. This is not necessarily a reliable method for detection,
as the files may or may not be present on any workstation, and such a rule
cannot be used on a Triconex controller itself; however, it could be useful for
detection with agent-based detection systems or for scanning for artifacts.”
Posts
No comments:
Post a Comment