Software: Triton, TRISIS, HatMan

From attackics
Jump to navigation Jump to search
Triton, TRISIS, HatMan
Software
ID S0013
Aliases Triton, TRISIS, HatMan
Type Malware

Triton is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.1234567

Associated Software Descriptions

  • Triton - 1
  • TRISIS - 2
  • HatMan - 3

Techniques Used

  • Utilize/Change Operating Mode - Triton is able to modify code if the Triconex SIS Controller is configured with the physical keyswitch in ‘program mode’ during operation. If the controller is placed in Run mode (program changes not permitted), arbitrary changes in logic are not possible substantially reducing the likelihood of manipulation. Once the Triton implant is installed on the SIS it is able to conduct any operation regardless of any future position of the keyswitch.1.
  • Unauthorized Command Message - Using Triton, an adversary can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately.1
  • Masquerading - The Triton malware was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs.1
  • Modify Control Logic - Triton can reprogram the SIS logic to cause it to trip and shutdown a process that is, in actuality, in a safe state. In other words, trigger a false positive. Triton also can reprogram the SIS logic to allow unsafe conditions to persist.1 The Triton malware is able to add a malicious program to the execution table of the controller. This action leaves the legitimate programs in place. If the controller failed, Triton would attempt to return it to a running state. If the controller did not recover within a certain time window, the sample would overwrite the malicious program to cover its tracks.1
  • Scripting - In the version of Triton available at the time of publication, the component that programs the Triconex controllers is written entirely in Python. The modules that implement the communication protocol and other supporting components are found in a separate file -- library.zip -- which the main script that employs this functionality is compiled into a standalone Windows executable -- trilog.exe -- that includes a Python environment.3
  • Remote System Discovery - Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502.3
  • System Firmware - The malicious shellcode Triton uses is split into two separate pieces -- inject.bin and imain.bin. The former program is more generic code that handles injecting the payload into the running firmware, while the latter is the payload that actually performs the additional malicious functionality. The payload --imain.bin-- is designed to take a TriStation protocol get main processor diagnostic data command, look for a specially crafted packet body, and perform custom actions on demand. It is able to read and write memory on the safety controller and execute code at an arbitrary address within the firmware. In addition, if the memory address it writes to is within the firmware region, it disables address translation, writes the code at the provided address, flushes the instruction cache, and re-enables address translation. This allows the malware to make changes to the running firmware in memory. This allows Triton to change how the device operates and would allow for the modification of other actions that the Triton controller might make3
  • Scripting - A Python script seen in Triton communicates using four Python modules—TsBase, TsLow, TsHi, and TS_cnames—that collectively implement the TriStation network protocol (“TS”, via UDP 1502); this is the protocol that the TriStation TS1131 software uses to communicate with Triconex safety PLCs.3
  • Exploitation for Evasion - Triton disables a firmware RAM/ROM consistency check, injects a payload (imain.bin) into the firmware memory region, and changes a jumptable entry to point to the added code 384. In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program area without any verification. Manipulating this data could allow adversary data to be copied anywhere within memory.910 Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration 11.
  • Control Device Identification - The Triton Python script is also capable of autodetecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502.8
  • Loss of Safety - Triton has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard.1
  • Program Download - Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System.7
  • Indicator Removal on Host - Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics.7
  • Commonly Used Port - Triton framework can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments.7
  • Execution through API - Triton leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes.7
  • Detect Program State - Triton contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py.12
  • Detect Operating Mode - Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.12
  • Change Program State - Triton has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed.12

Groups

The following groups use this software:

References