TRITON Malware | Attackers Deploy New ICS Attack Framework
Tags
country: Iran Russia Ukraine
attack-pattern: Data Model Hardware - T1592.001 Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002
Show in Graph
Common Information
Type Value
UUID 8fc9c4b1-06f8-49c0-adfe-1f77185a9f1d
Fingerprint a7a88e992023ccc0
Analysis status DONE
Considered CTI value 2
Text language
Published Dec. 14, 2017, midnight
Added to db Nov. 6, 2023, 7:09 p.m.
Last updated Sept. 4, 2024, 2:37 p.m.
Headline Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
Title TRITON Malware | Attackers Deploy New ICS Attack Framework
Detected Hints/Tags/Attributes 73/2/26
Source URLs
Redirection Url
Details Source https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
Details Redirection https://www.mandiant.com/resources/attackers-deploy-new-ics-attack-framework-triton
Details Source https://www.mandiant.com/resources/blog/attackers-deploy-new-ics-attack-framework-triton
URL Provider
Details Provider Source level domain
Details fireeye.com www.fireeye.com
Details mandiant.com www.mandiant.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 2 
libraries.zip
Details Domain 3 
library.zip
Details Domain 2 
tsbase.py
Details Domain 2 
tslow.py
Details File 6 
trilog.exe
Details File 2 
libraries.zip
Details File 2 
library.zip
Details File 4 
inject.bin
Details File 4 
imain.bin
Details File 4 
ts_cnames.py
Details File 3 
tsbase.py
Details File 3 
tshi.py
Details File 3 
tslow.py
Details File 15 
sh.py
Details File 1 
crc.py
Details md5 1 
6c39c3f4a08d3d78f2eb973a94bd7718
Details md5 1 
437f135ba179959a580412e564d3107f
Details md5 1 
0544d425c7555dc4e9d76b571f31f500
Details md5 1 
0face841f7b2953e7c29c064d6886523
Details md5 1 
e98f4f3505f05bf90e17554fbc97bba9
Details md5 1 
288166952f934146be172f6353e9a1f5
Details md5 1 
27c69aa39024d21ea109cc9c9d944a04
Details md5 1 
f6b3a73c8c87506acda430671360ce15
Details md5 1 
8b675db417cc8b23f4c43f3de5c83438
Details sha256 1 
e8542c07b2af63ee7e72ce5d97d91036c5da56e2b091aa2afe737b224305d230
Details Yara rule 1 
rule TRITON_ICS_FRAMEWORK {
	meta:
		author = "nicholas.carr @itsreallynick"
		md5 = "0face841f7b2953e7c29c064d6886523"
		description = "TRITON framework recovered during Mandiant ICS incident response"
	strings:
		$python_compiled = ".pyc" ascii wide nocase
		$python_module_01 = "__module__" ascii wide nocase
		$python_module_02 = "<module>" ascii wide nocase
		$python_script_01 = "import Ts" ascii wide nocase
		$python_script_02 = "def ts_" ascii wide nocase
		$py_cnames_01 = "TS_cnames.py" ascii wide nocase
		$py_cnames_02 = "TRICON" ascii wide nocase
		$py_cnames_03 = "TriStation " ascii wide nocase
		$py_cnames_04 = " chassis " ascii wide nocase
		$py_tslibs_01 = "GetCpStatus" ascii wide nocase
		$py_tslibs_02 = "ts_" ascii wide
		$py_tslibs_03 = " sequence" ascii wide nocase
		$py_tslibs_04 = /import Ts(Hi|Low|Base)/ ascii wide nocase
		$py_tslibs_05 = /module\s?version/ ascii wide nocase
		$py_tslibs_06 = "bad " ascii wide nocase
		$py_tslibs_07 = "prog_cnt" ascii wide nocase
		$py_tsbase_01 = "TsBase.py" ascii wide nocase
		$py_tsbase_02 = ".TsBase(" ascii wide nocase
		$py_tshi_01 = "TsHi.py" ascii wide nocase
		$py_tshi_02 = "keystate" ascii wide nocase
		$py_tshi_03 = "GetProjectInfo" ascii wide nocase
		$py_tshi_04 = "GetProgramTable" ascii wide nocase
		$py_tshi_05 = "SafeAppendProgramMod" ascii wide nocase
		$py_tshi_06 = ".TsHi(" ascii wide nocase
		$py_tslow_01 = "TsLow.py" ascii wide nocase
		$py_tslow_02 = "print_last_error" ascii wide nocase
		$py_tslow_03 = ".TsLow(" ascii wide nocase
		$py_tslow_04 = "tcm_" ascii wide
		$py_tslow_05 = " TCM found" ascii wide nocase
		$py_crc_01 = "crc.pyc" ascii wide nocase
		$py_crc_02 = "CRC16_MODBUS" ascii wide
		$py_crc_03 = "Kotov Alaxander" ascii wide nocase
		$py_crc_04 = "CRC_CCITT_XMODEM" ascii wide
		$py_crc_05 = "crc16ret" ascii wide
		$py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide
		$py_crc_07 = /CRC16_CCITT[^_]/ ascii wide
		$py_sh_01 = "sh.pyc" ascii wide nocase
		$py_keyword_01 = " FAILURE" ascii wide
		$py_keyword_02 = "symbol table" ascii wide nocase
		$py_TRIDENT_01 = "inject.bin" ascii wide nocase
		$py_TRIDENT_02 = "imain.bin" ascii wide nocase
	condition:
		2 of ($python_*) and 7 of ($py_*) and filesize < 3MB
}