Threat Ananlysis | Accenture€¦ · Filename: trilog.exe • MD5: 6c39c3f4a08d3d78f2eb973a94bd7718 • SHA-1: dc81f383624955e0c0441734f9f1dabfe03f373c • Size: 21,504 bytes •

Copyright © 2018 Accenture Security. All rights reserved.

INDUSTRIAL CONTROL SYSTEM TECHNICAL REPORT DEALING WITH THE THREATS POSED BY TRITON / TRISIS DESTRUCTIVE MALWARE

THREAT ANALYSIS

THREAT ANALYSIS

Copyright © 2018 Accenture Security. All rights reserved. 2

TECHNICAL REPORT

DESCRIPTION

Upon discovering third-party reports of a new destructive industrial control system (ICS) malware, dubbed TRITON1 (also known as TRISIS2 or HatMan3), iDefense researchers captured the full scope of related malware modules and thoroughly analyzed their sub-components. Based on iDefense's internal hunting systems and telemetry data, iDefense assesses with high confidence that entities in the Kingdom of Saudi Arabia (KSA) were among the targets of this new malware. The malware has been uploaded six times from KSA between late August 2017 and mid-October 2017.

The destructive malware was disguised as TriLogger (a Triconex-brand product), which is software to record, play back, and analyze high-speed operating data from Triconex controllers. These are primarily used in safety instrumented systems (SIS). The destructive malware was created using a deep knowledge of targeted platforms and in the Python scripting language.

iDefense intelligence from Accenture Security underlines the need to implement more robust security measures for ICS and operational technology (OT) systems. Implementing basic code consistency checks and using traditional whitelisting methods have proven to be far less effective with modern threats, like the one analyzed in this threat analysis, than in the past.

1 Named by FireEye 2 Named by Dragos. Inc. 3 Named by US Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)

The information in this Threat Analysis is intended to be consumed by administrators, security analysts and engineers in security operation center (SOC) and incident response (IR) teams.

The technical analysis is being provided for general awareness and targets entities developing, using, operating, or managing industrial control systems (ICS) that use Triconex safety controllers such as the TriStation platform.

Given the inherent nature of threat intelligence, it is based on information gathered and understood at a specific point in time.

THREAT ANALYSIS


ATTACK TIMELINE

• August 4, 2017: Malware development date, based on last time stamp of embedded sub-modules

• August 4 to 29, 2017: Targeted entities in KSA infected by TRITON malware

• August 29, 2017: A user from KSA uploaded the first instance of trilog,exe to public malware repositories

• September 12, 2017: A second user from Dhahran, KSA uploaded an instance of trilog,exe to public malware repositories

• October 19, 2017: The third instance of an infection came from Dhahran, KSA

• October 20, 2017: The fourth instance of an infection came from Dhahran, KSA

• October 22, 2017: The fifth instance of an infection came from Riyadh, KSA

• December 14, 2017: Third-party reports made, based on incident response efforts

ATTRIBUTION

It is evident that threat actors behind this malware studied the firmware, its underlying software and the TriStation system platform. These threat actors decoded the code consistency checks and adopted a similar algorithm to conduct so-called “signing” of malicious payloads to bypass internal checks within controllers. Additionally, the threat actors knew the systems were using a simple whitelisting process and then used a name that mimics a logging process to bypass this security mechanism as well. The threat actors created modules that handle the controller both in low-level and high-level. These things indicate that the threat actors have an excellent knowledge of the targeted platform and that it is highly likely the multi-module code has been tested already in a real-life environment. Having access to such an expensive and exclusive platform, a deep knowledge of the underlying firmware and access to undocumented capabilities suggest that the actors behind this malware are nation-state actors or an adversary with similar resources. At this stage in its research, iDefense has not yet identified a definitive nation-state with utmost certainty.

THREAT ANALYSIS


MAIN MODULE DISGUISED AS TRICONEX TRILOGGER

On August 29, 2017, a user from KSA uploaded a malware sample with the following properties to public repositories:

• Filename: trilog.exe

• MD5: 6c39c3f4a08d3d78f2eb973a94bd7718

• SHA-1: dc81f383624955e0c0441734f9f1dabfe03f373c

• Size: 21,504 bytes

• Time and date stamp: 0x49180192 (11/10/2008 1:40:34 AM), which is the default time stamp of PyScript executables

• Compiler/Linker: Microsoft Visual C/C++ (2008) [msvcrt] / Microsoft Linker (9.0) [EXE32, console]

• Python script version: Python bytecode 2.7 (62211)

According to published materials, the TriStation platform has a module known as TriLogger that is intended for recording, playing back, and analyzing high-speed operating data from Triconex controllers.

The captured malware appears to have disguised itself as a TriLogger module with the intention to bypass whitelisting and process monitoring mechanisms that simply check for running process names and allow a predetermined list of software to run.

The malware was developed using Python v.2.7 and was able to be decompiled to the source code. The main Python module name is script\_test.py. Exhibit 1 shows a snapshot of the decompiled source code.

Exhibit 1: Snapshot of decompiled source code

THREAT ANALYSIS


The malware relies on a set of sub-modules that are stored within an archive named library.zip. The library.zip file has the following properties:

• Filename: library.zip

• MD5: 0face841f7b2953e7c29c064d6886523

• SHA-1: 1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c

• Size: 1,708,616 bytes

• Archive creation time: August 4, 2017

• File type: Zip Archive v.2.0) [210 files]

The archive creation time depicts that the analyzed malware was created on August 4, 2017, which indicates that the actors were capable of deploying the malware to targeted systems in less than a month, as August 29, 2017 was the first instance of a possible anomaly discovery.

The trilog.exe module receives an IP address for its first argument (Exhibit 1—line 27), which is apparently the IP address of a targeted Triconex controller system.

trilog.exe crafts a payload using the following files: • Filename: inject.bin

− MD5: 0544d425c7555dc4e9d76b571f31f500

− SHA-1: f403292f6cb315c84f84f6c51490e2e8cd03c686

− Size: 2,104 bytes

• Filename: imain.bin

− MD5: 437f135ba179959a580412e564d3107f

− SHA-1: b47ad4840089247b058121e95732beb82e6311d0

− Size: 436 bytes

The trilog.exe module reads these two files in little-endian and unsigned integers and constructs the final payload. Exhibit 2 shows the payload construction and injection source code. Exhibit 3 shows a hex-dump of the final payload. The payload consists of controller logic bytecodes and a malicious function to bypass a controller code-checking mechanism (a simple crc32 check).

THREAT ANALYSIS


Exhibit 2: Code Illustrating Payload Construction and Injection Source Code

Exhibit 3: Hex-dump of Final Payload

THREAT ANALYSIS


The trilog.exe module relies on sub-modules stored in library.zip. The following is the MD5 hash of.pyc modules inside the library.zip file:

MD5 Hash Module Name MD5 Hash Module Name

5ba8b223a9fbb8f1c1d00e19f06f869b _abcoll.pyc 9feb8d37580a9667ba772174af46712e cp850.pyc

c77da522389e4b82af63dad19860a597 abc.pyc cb8af7616450697a216eb47a8caed0b8 cp852.pyc

caa17cef8d6e755171be18e173e88f17 atexit.pyc b7c3a8850623a3ee113dffec6acaa7bd cp855.pyc

ce4a002b07918d8b56c4165abdbe9577 base64.pyc 647c7e9ee88fa5044f6d96340fea2d49 cp856.pyc

9686f92fa6d02e8855304372896dbba9 bdb.pyc 3562e1a8f1e0e0c17d30c33a5c639f48 cp857.pyc

edadcee8e640a05cfe0ad7e757843a05 bz2.pyc c08a37b59f3abe4c7cf0e5b555d88750 cp858.pyc

09610aebd29a86118da97ace59e055c7 calendar.pyc e0896b36e2f2e93fc9260bc29e35f21d cp860.pyc

c215ccffa5db823a140340d73f231262 cmd.pyc bed9017b580595d03e93490f16b996e7 cp861.pyc

20f44b3eba51addcd603d9fe87f97ab4 codecs.pyc d73858a3e6c0f011f0fb57a708c6cef2 cp862.pyc

a9f31aa61e4a32ab4605512caf6cf6c4 collections.pyc 250e70a25b56de2ff50bcb79f8eb1097 cp863.pyc

c47c9f8e8b402b9d8f395da17750bc1e contextlib.pyc 1c2c40a8c7a94c4437ba32c9f7fddb5a cp864.pyc

4f66469fc204502d7596078ce8ff1ec9 copy.pyc 79195f6524501c7585f05b7904d5950a cp865.pyc

6a9815df2c6479c327a2956a0101db33 copy_reg.pyc a59991452a02104e09d334d71a41ffbe cp866.pyc

4e5797312ed52d9eb80ec19848cadc95 crc.pyc 0a9ed04c0ba38f845955d26d1bd7a40d cp869.pyc

cc489e05b642861a502acd5abd881101 difflib.pyc 60cb4d53ec9b35d485a579986793d3b4 cp874.pyc

18893512391771c83e5cbeea1b19d06b dis.pyc 8a9d1453c4afaad29e91370dbe914fdb cp875.pyc

66367231fa8893389c735d0c70b1f96f dummy_thread.pyc 4d15c500245c061a9fc77867e8bb813f cp932.pyc

70c175ffe83c9a65ea4eb0a8a79e50b7 fnmatch.pyc d5a4421692e4d9bafc6ea4dbbdc848d3 cp949.pyc

26d7c61ce2c5ba861e06d8edfc096487 functools.pyc e72c4fdb4df7131e196782cb94442b8f cp950.pyc

6cff78d61965cce144ef46d61099f60f __future__.pyc 1a92fb9b2d2dd20ed0df09300afa8795 euc_jis_2004.pyc

dbd4d0147912c900be054b27f046c364 genericpath.pyc 6a65081d4b37e4bb07b24899ca8ab7f5 euc_jisx0213.pyc

47b0db2f5e82271107093b0c0a154213 getopt.pyc 0b3c46dc49b24e7b481c4b84cb03c3ff euc_jp.pyc

7cd36dab91f6211338156632d6f8b052 gettext.pyc 401ab6b072d4ee4cad75cd6bbcab1f41 euc_kr.pyc

f00ec6edac1f7bf8c91a7d4446ab49fd _hashlib.pyc ba8c0c8a6570d1272f33098c05f18cee gb18030.pyc

0465a137bc14129690d9c274afb01cdb hashlib.pyc d5f77949cb1d9174c51065d78d3d7144 gb2312.pyc

29292b42faac06b36217414980686d08 heapq.pyc 404d0cf29626f1c171e8c20d574b88ea gbk.pyc

e8f5489f888016c3c97282ffb528374e inspect.pyc c13ad5fe664ab1c3cb338a461d97b671 hex_codec.pyc

1e4c586fcb8ba847cbd8afaf55cfe2fa io.pyc 2c69b6b2fb66f70e58e99753690c42bc hp_roman8.pyc

a6115028e177fc789b0bbee88ebb8770 keyword.pyc 46e75b63597915544d3d03a440798581 hz.pyc

9f0619bbd19d8488ad6bb890315acabe linecache.pyc 87d4cf8fd21fac3b60bf63dabd98bc9e idna.pyc

936a4513eba0534945736b815120a159 locale.pyc d226d892b5cd2252753068b06d373d30 __init__.pyc

c6b3b16ee036278406d750c7d5161466 ntpath.pyc af6162ebfc1ff061c99b58f6be259301 iso2022_jp_1.pyc

20b27a7d8fe43ba2c00f1188166fecef opcode.pyc b9632491d8009d95eb7e997fbaba853f iso2022_jp_2004.pyc

f7e45159630147f3bbff1bd242aea38f optparse.pyc f2bec5ca2d00c82415bfd33db314fa3d iso2022_jp_2.pyc

THREAT ANALYSIS



d886bb76ada0ffa9b6e8d049a6859e99 os2emxpath.pyc 2c9f14091da760cad1d9cdc57360f2f4 iso2022_jp_3.pyc

b2ea8d881c454ec6d2d1af3e5fe09a4e os.pyc 15bd04c4f2358a0d270dc9b71f2e4ae2 iso2022_jp_ext.pyc

6e4ca608e8533c8b0ff9b85d57559926 pdb.pyc c8f74b48143357c4bb5614f5879f6785 iso2022_jp.pyc

5f642560ed3fce09ecf29e9d263d3303 pickle.pyc db320c1dbb2bc889ef520baa756db081 iso2022_kr.pyc

75bd28e2e351d16828e6ee6070cd0a39 posixpath.pyc 85c4a21a0fb641bdb9b7dbb0ef67df65 iso8859_10.pyc

85fcbdd1c65088d6639b7f3b2b53e9fd pprint.pyc 73dc89f0b99e87a9fb3ecb45dba4b9d1 iso8859_11.pyc

8ba1fcc5ce7c07a2c7586f7fbb2a8ae5 quopri.pyc 46289ec36f222d08ce53d4c7916dd7f8 iso8859_13.pyc

331ae4a387bfcca4e8abecb27a5a9300 random.pyc c8d8ecf631fef72b8a9b652f04fae2dc iso8859_14.pyc

e3af42af879cd82fd65b30373f805f6b repr.pyc d5cd88aa5dc5d310c7efc1abfeefa44b iso8859_15.pyc

28eb80d28f24cb3f0f92c89ba9679094 re.pyc 2d9467b4bced3a21edf575919726e9e3 iso8859_16.pyc

8c066df6717f5b41a239ae0d54ca1a80 select.pyc 028cf9909643859accbfeeff2bd98bf9 iso8859_1.pyc

a5a9cba9eb5207a22cd1640d3de49738 shlex.pyc e6c18a6a6b535d7e9be636bcce158004 iso8859_2.pyc

8b675db417cc8b23f4c43f3de5c83438 sh.pyc 7088e08fbbc9fc2cbd7881eeef89166b iso8859_3.pyc

a91e078d06261565e1f81207d95aa858 _socket.pyc 5e87e9328758f10579c7b8e87039e937 iso8859_4.pyc

6c89e51ece5d3a29e0f29603165cb361 socket.pyc 15b76a4ec2c05dad38c8632efea2e03a iso8859_5.pyc

fdc0f1628e926647c045f2590eb72dd9 sre_compile.pyc c127548e63603fb61316fcaf52e2500a iso8859_6.pyc

f403d306bfdeee9a4d44a64e9e188c29 sre_constants.pyc a2e88c8f9a09e6b46e0ad2757dfa8af4 iso8859_7.pyc

530b18493fa426d73188d6669d5b2931 sre_parse.pyc 6eb5233ba12641e8dff4847a150fb0ce iso8859_8.pyc

d4c1487681e53a3bbe5c09517bef8616 sre.pyc 6219a43501f8e74cac102fc3943529a3 iso8859_9.pyc

f7d938f1e01cec5ae7cdd4902868407a _ssl.pyc 752202f911fd31e6482be85cb0dc35ba johab.pyc

af8e49c8e89ac7f678c622e03506cc19 ssl.pyc 59e3a3ca45a7de934de87890d1eb1c31 koi8_r.pyc

12e6fea93179911dec7bf8e9a276d5ec stat.pyc 81f2897ba2f87319964b4a124bf53297 koi8_u.pyc

2124ec613c66f9855473f9a579c96978 StringIO.pyc b88b961dbe5505e838a13cf81fb9757c latin_1.pyc

b9fac6b312192b9ea097408074238e37 stringprep.pyc 2203fd5d2702945af29db26ca0d6857c mac_arabic.pyc

333d10e37dd0c08c70b6b062d485d83c string.pyc af01746817836ce962441af8e7f4ec48 mac_centeuro.pyc

6050f3079f2fcbb37564708ed10d3a8a _strptime.pyc b262d216aa3c9f2ec090441293b56093 mac_croatian.pyc

1f043b6ae9795b3b33b0ffd0b3543baa struct.pyc 8c04be1897d5f28798abfe38ac396b91 mac_cyrillic.pyc

bcd37b63a118542197f656f0cc884430 subprocess.pyc 3f2a383cc987aa9dc373a78859a9b377 mac_farsi.pyc

27b972c25939196cac7bd94550c72824 tempfile.pyc f41f00e986595b69b4592860a699152c mac_greek.pyc

fc60a909738c458075acd17924ed9d4d textwrap.pyc b2c3036c14bc8b4fdbdcdc185ce69c9e mac_iceland.pyc

ef3020ef3e53f6ee42e6a7b8597eaaba _threading_local.pyc 6fad6adb13f762bec6d31aa29441d664 mac_latin2.pyc

b8491927f379d135c092bfa59f7ccd11 threading.pyc 3d5df7639420aad395fcb413028907af mac_romanian.pyc

6a801285e8ad292d9db3a13e1c593804 tokenize.pyc 38423237ddd524472802a72593faf4af mac_roman.pyc

fe0f07624d62f5abe26a70055c54945c token.pyc 9947dbbcbed67e05a020476bfd6e9735 mac_turkish.pyc

efa42924ba43d6553004c9076fb839bc traceback.pyc 3abbb4efba7bb26fc018cd1aa048150f mbcs.pyc

THREAT ANALYSIS



288166952f934146be172f6353e9a1f5 TsBase.pyc c67c16d145d69f77ea711ead7c94a2ab palmos.pyc

e98f4f3505f05bf90e17554fbc97bba9 TS_cnames.pyc 26e464edc6116edb5bdee979801ae634 ptcp154.pyc

27c69aa39024d21ea109cc9c9d944a04 TsHi.pyc 2dfce629231398a9d7fd845d4baa1736 punycode.pyc

f6b3a73c8c87506acda430671360ce15 TsLow.pyc b23a2e3f72f6b875687b7d72282f4f34 quopri_codec.pyc

cc0d054fd6093630bc4c2e0f36567405 types.pyc 0ea9930399d0178dd96b240d7926f1c9 raw_unicode_escape.pyc

e2638ff82c2eaa66288b424b5b0b8b28 unicodedata.pyc 1a899af7860b9ded26ed0fb42b0264e1 rot_13.pyc

4bde76fd45524fad05479018e463341e UserDict.pyc b5f3131e499e83ad7147b24875e741cd shift_jis_2004.pyc

95ecb3354d376dc99518730134822be9 warnings.pyc eda93ee20dc2b569bae249056695abba shift_jis.pyc

8a0a0c2fcdc60886a68b93bdd9052c31 weakref.pyc 40a092cb10cbf5ce79222601bdf14812 shift_jisx0213.pyc

56a1bd019468d2b33a48d95cf0522436 _weakrefset.pyc 5b4060cb1a644941120e989df567306b string_escape.pyc

a9310062e0ffa7daeb51eb7778debf61 aliases.pyc bcb51f50225125001124e897c429999f tis_620.pyc

2560842e999ade343dff99e08cb9b2e0 ascii.pyc 1fa31cbd89ac4a49592f8c1d726c76ed undefined.pyc

8c0eebe453536b6821d021009356c8a1 base64_codec.pyc 6de4878db33f26026a9ba61ca46d6ba2 unicode_escape.pyc

d13ac9be3dabcdde8a57cdab8e0277af big5hkscs.pyc ca4863e97b9249a1d2ef187db55654ac unicode_internal.pyc

7694fbba5177549d850479b5fe3831f7 big5.pyc e5ffcf6c288c6788c9c2a27ad31a7682 utf_16_be.pyc

2d9ef3398c2e1fc991d4b9e22568d8e4 bz2_codec.pyc 03d8f4a083e9191c238ca20ad7855d5a utf_16_le.pyc

6348cd37930abd12c16814863d5a6ba3 charmap.pyc 9e14af41c6f4ea008895fc9183eb2863 utf_16.pyc

7dfcc6c057ac355227c05cd4470d8177 cp037.pyc 5769f5753b34526d1276d7348136a41c utf_32_be.pyc

8a3399c47bf3c1372a5026d190c08ca6 cp1006.pyc fafb83bc05611ca8e3c2daab90566e46 utf_32_le.pyc

9566443f6d92b1093a104cc4d9367c9f cp1026.pyc 3d250cd971499ef44d76cad47a62c6f4 utf_32.pyc

7281488625c31f6a99e8a00961d5189d cp1140.pyc 0d4a11e7ceaac040702e242461e4481d utf_7.pyc

3390191f96bf9b7212cf6a2f8c507b13 cp1250.pyc 3287da9e2677b7a794e3610c347d59d5 utf_8.pyc

15a8062b75a61e3f3cc3b0c19c410532 cp1251.pyc 4e08bab40b090ccb01cae7b838fd0855 utf_8_sig.pyc

e68e2d9737ad9a1497c15553731eda3f cp1252.pyc ea934a79164b9d75e82d52fa933cedb9 uu_codec.pyc

a0e8be7a8b872ce6b739080014d2579e cp1253.pyc 32d14502cf4491dd0451ab5c4b63310f zlib_codec.pyc

c87552b6b5325e933115d363e8286a51 cp1254.pyc 52a0001e6f3bdc04dfd38c4cfa0cab27 __init__.pyc

2764fdc38e48eac75fcdb9e392131f13 cp1255.pyc 6acf266cd29f199e9d3da5aea53cb910 case.pyc

82a4f0dd064cfd48d1bd95a18eef4dd0 cp1256.pyc b03a0d6622fdfd82708e258e0d90e8ac __init__.pyc

fcf05838b9d3251e532c1be436c4dff5 cp1257.pyc 9f14f5a6f3414aee91ed24d6cade93c1 loader.pyc

823bec20443da5525a302d3575f955d6 cp1258.pyc ae79bb4f27d2f252fc518b70543e3c09 main.pyc

9a58b11b8d24cb1db3086739834c78f3 cp424.pyc e180976fd1edfbf4ef089981727b4b1d result.pyc

3780f63e6734127dc00597a07020a9b6 cp437.pyc acc2c6319583a9df76ce06f1f319be6d runner.pyc

1891768fe976c344d23e6d71745ab24b cp500.pyc 67b333a88312fdd24335c96fd2f31833 signals.pyc

5c5a4589bc9c84f8d4004b29de511557 cp720.pyc d7a49a1a476024b19afa6af4ab070cdd suite.pyc

fa7c328ac4bb5c6884f84789bedbb124 cp737.pyc 848b4b371ac2af5da7f1b4f64bec62dd util.pyc

THREAT ANALYSIS


A CLOSER LOOK AT SUB-MODULES WITHIN LIBRARY.ZIP

The majority of the sub-modules within library.zip are standard Python libraries; however, the following sub-modules were created by the threat actors behind this malware as part of the destructive TRITON malware:

SUB-MODULE 1

• Filename: TsHi.pyc

• MD5: 27c69aa39024d21ea109cc9c9d944a04


As its name depicts, the TsHi sub-module is a high-level interface for the TriStation platform. Exhibit 4 shows a snapshot of the decompiled source code of this module.

The high-level interface module contains functions for different checksum calculations based on CRC32. Additionally, the TsHi class contains the following self-explanatory functions:

• Functions for reading or writing an arbitrary program to the TriStation platform:

− ReadFunctionOrProgram

− WriteFunctionOrProgram

− ReadFunction

− ReadProgram

− WriteFunction

− WriteProgram

• Functions for retrieving and parsing project information:

− ParseProjectInfo

− GetProjectInfo

− GetProgramTable

• Counter Function:

− CountFunctions

• Functions for handling and communicating with the Triconex controller:

− SafeAppendProgramMod

− WaitForStart

− AppendProgramMin

• Functions to read, write, and execute exploit codes:

− ExplReadRam

− ExplReadRamEx

− ExplExec

THREAT ANALYSIS


− ExplWriteRam

− ExplWriteRamEx

This sub-module created with verbose status codes for each function allows threat actors to track the workflow of the load, the execution, or possibly the failure of the exploit code to run. SafeAppendProgramMod is the main function called by the trilog.exe module for putting the controller in idle mode, running the payload presented in Exhibit 4, or cleaning the controller memory by uploading a dummy code.

Exhibit 4: Decompiled Source Code of TsHI Sub-module

THREAT ANALYSIS


SUB-MODULE 2

• Filename: TsLow.pyc

• MD5: f6b3a73c8c87506acda430671360ce15


As its name suggests, the TsLow sub-module is a low-level interface for the TriStation platform. Exhibit 5 shows a snapshot of the decompiled source code of this module.

Exhibit 5: Decompiled Source Code of TsLow Sub-module

The low-level interface module contains an error status for the controller communication status and checksum functions. Additionally, the TsLow class contains the following network communications functions:

• General Functions:

− __init__ - initializes communication by setting default values

− close - closes all the network connections, including TCM and UDP connections

THREAT ANALYSIS


− detect_ip - detects IP address by sending a precrafted ping message to 255.255.255.255:1502

− connect - connects to the IP address of the controller

− print_last_error - prints status regarding the execution of UDP, TCM, TS, and parse commands

• UDP Protocol Functions:

− udp_close - closes UDP connections

− udp_send - sends UDP packets to keep connection live

− udp_flush - flushes UDP packets

− udp_recv - receives a dummy UDP packet

− udp_exec - executes UDP communication

− udp_result - returns the status of running UDP protocol functions

• TCM Protocol Functions:

− tcm_ping - sends ping over TCM

− tcm_connect - connects over TCM

− tcm_disconnect - disconnects TCM connection

− tcm_reconnect - reestablishes TCM connection

− tcm_exec - executes TCM communication

− tcm_result: - returns the result of running TCM protocol functions

• TriStation Controller Functions:

− ts_update_cnt - counts the number of executed commands

− ts_result - returns the status of running TS commands

− ts_exec - executes a TS command

THREAT ANALYSIS


SUB-MODULE 3

• Filename: TS_cnames.pyc

• MD5: e98f4f3505f05bf90e17554fbc97bba9


The TS_cnames sub-module contains default definitions for TS_cst, TS_keystate, TS_progstate, and TS_names variables. Exhibit 6 shows a snapshot of the decompiled source code of this module.

Exhibit 6: Decompiled Source Code of TS_cnames.pyc Module

THREAT ANALYSIS


SUB-MODULE 4

• Filename: TsBase.pyc

• MD5: 288166952f934146be172f6353e9a1f5


The TsBase sub-module contains functions to transform and translate attack commands into TriStation controller commands. Exhibit 7 shows a snapshot of the decompiled source code of this module.

Exhibit 7: Decompiled Source Code of TsBase.pyc Module

The transform module contains two simple functions for returning data with and without error codes. Additionally, the TsBase class contains the following self-explanatory functions:

• GetCpStatus - returns CP status response through the execution of ts_exec command 19

• GetModuleVersions - retuens module versions response through the execution of ts_exec command 54

• UploadProgram - uploads a program through the execution of ts_exec command 65

• UploadFunction - uploads a function through the execution of ts_exec command 66

• AllocateProgram - allocates memory in controller for a program through the execution of ts_exec command 55

• AllocateFunction - allocates memory in controller for a function through the execution of ts_exec command 56

• RunProgram - executes a program in the controller through the execution of ts_exec command 20

THREAT ANALYSIS


• HaltProgram - terminates a program in the controller through the execution of ts_exec command 21

• StartDownloadChange - format and pad the data for the controller through the execution of ts_exec command 1

• StartDownloadAll - starts TS2 program download through the execution of ts_exec command 59

• CancelDownload - cancels download of TS2 program through the execution of ts_exec command 12

• EndDownloadChange - terminates change in download of TS2 program through execution of ts_exec command 11`

• EndDownloadAll: terminates all downloads of the TS2 program through the execution of ts_exec command 10

• ExecuteExploit - formats and pads data for the execution of an exploit code through the execution of ts_exec command 29

The TsBase module uses the verbose command and error definitions in the TS_cnames module to properly track command execution and the malware's workflow.

THREAT ANALYSIS


SUB-MODULE 5

• Filename: sh.pyc

• MD5: 8b675db417cc8b23f4c43f3de5c83438


The sh.pyc sub-module contains two functions: function dump, which is called by trilogger.exe and Tslow, which is used for dumping a portion of controller memory and saving the data into a file; and function chend, which is called by trilogger.exe to change the endian format of inject.bin and imain.bin from little-endian into big-endian. Exhibit 8 shows a snapshot of the decompiled source code of this module.

Exhibit 8: Snapshot of the Decompiled Source Code of sh.pyc Module

THREAT ANALYSIS


SUB-MODULE 6

• Filename: crc.pyc

• MD5: 4e5797312ed52d9eb80ec19848cadc95


The crc.pyc sub-module contains four functions to calculate CRC32, CRC16, and CRC64 checksums. Exhibit 9 shows a snapshot of the decompiled source code of this module.

Exhibit 9: Snapshot of Decompiled Source Code of crc.pyc Module

THREAT ANALYSIS


MITIGATION

Based on the attack framework, a similar attack could conceptually be designed against other safety instrumented systems. As such, the recommendations are relevant to many SIS brands and their users.

Take practical steps today to protect your organization from TRITON/TRISIS and similar destructive malware attacks.

The following key security controls could help mitigate the TRITON threat model: • Physical controls—SIS controllers, like all other critical hardware components,

should be kept in locked spaces, monitored and accessible to only authorized personnel. The physical mode switch on Triconex controllers should be kept in “Run” position during normal operations, to limit the window of opportunity for a configuration change and enforce requirement of physical presence.4

• Logical access control—Any form of connectivity to the SIS systems, whether via network interface, USB stick, programming laptop or directly by a user at a graphical interface, should require enforced authorization. Only authorized and properly controlled USB sticks, writable media, and programming laptops, should be used for system access. Portable media should be verified each time before being allowed to connect to SIS.

• Network segmentation—SIS components should reside in an isolated network.

• Configuration and change management—Industrial Control System (ICS)5 governance roles, processes, and tools should be in place to facilitate the correct and authorized deployment, maintenance and verification of SIS equipment and its configuration. The ability to detect unauthorized configuration changes can reduce the risk of an attack.

• Security monitoring and scanning—It is essential to deploy network security monitoring technology, along with ICS vendor certified scanning technology, where possible. The proper implementation of security monitoring in ICS environments should address the following questions:

• Is ICS network traffic being monitored for unexpected communication flows and other anomalous activity?

• Can new devices connecting to the network be detected and trigger a notification?

• Are all methods of mobile data exchange with the safety network, such as CDs and USB drives, scanned before use in SIS operator stations or any node connected to the network?

• Have other secure file transfer methods been considered?

4 Leaving the controller’s mode switch in “Program” or “Remote” allows reprogramming activity, potentially circumventing an operator’s change management process. 5 A SIS is one type of ICS.

THREAT ANALYSIS


In addition to the security controls listed above, iDefense recommends:

• Applying an enhanced whitelisting policy by implementing secondary checks for running processes in addition to a simple name check. For example, a custom hashing algorithm for detecting authorized processes could be implemented as a kernel module for systems with direct access to controllers.

• Investing and implementing parallel monitoring systems. Such systems should be independent of main monitoring systems and used for alerting purposes only.

• Conducting routine checks for computer systems with direct access to controllers. It is of paramount importance that such systems are only used for data monitoring and controller handling. iDefense recommends refraining from using these systems for other tasks such as document compilation, accounting, or similar office tasks. If a vendor releases a firmware or software upgrade, apply such upgrades as soon as possible.

Schneider Electric released an Important Security Notification with specific mitigation steps regarding its Triconex safety controllers. Schneider Electric recommends regular checks for updates to the security notification including any specific technical configuration requirements.6 Given this possibility, ABB also released a Cyber Security Notification on December 22nd, 2017 with similar mitigation steps for its safety controllers.7

iDefense will reach out to the affected vendor with specific recommended countermeasures regarding the affected controller.

iDefense will also update this technical analysis after it has captured similar malware samples.

TECHNICAL REFERENCES

Cyber Advisory: INDUSTRIAL CONTROL SYSTEM ATTACK SUMMARY— DEALING WITH THE THREATS POSED BY TRITON/TRISIS DESTRUCTIVE MALWARE, Accenture, 2018.

Important Security Notification: Malware Discovered Affecting Triconex Safety Controllers V1.1, Schneider Electric, 2017.

Cyber Security Notification—TRITON/TRISIS malware, ABB, 2017.

6 https://www.schneider-electric.com/en/download/document/SEVD-2017-347-01/ 7 http://search-ext.abb.com/library/Download.aspx?DocumentID=9AKK107045A7931&LanguageCode=en&DocumentPartId=&Action=Launch

https://www.accenture.com/us-en/insight-managing-malware

https://www.accenture.com/us-en/insight-managing-malware

https://www.schneider-electric.com/en/download/document/SEVD-2017-347-01/


http://search-ext.abb.com/library/Download.aspx?DocumentID=9AKK107045A7931&LanguageCode=en&DocumentPartId=&Action=Launch





THREAT ANALYSIS


CONTACT US For additional mitigation steps and more detailed information, please reach out to your Accenture contact. Where support is needed, Accenture Security can provide resources designed to mitigate risks and remediate gaps in ICS security programs.

Luis Luque [email protected]

Jim Guinn [email protected]

Josh Ray [email protected]

mailto:[email protected]

ABOUT ACCENTURE Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With approximately 425,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com

ABOUT ACCENTURE SECURITY Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture protects organization’s valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit the Accenture Security blog.

LEGAL NOTICE & DISCLAIMER: © 2018 Accenture. All rights reserved. Accenture, the Accenture logo, iDefense and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from iDefense. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates.

Given the inherent nature of threat intelligence, the content contained in this alert is based on information gathered and understood at the time of its creation. It is subject to change.

ACCENTURE PROVIDES THE INFORMATION ON AN “AS-IS” BASIS WITHOUT REPRESENTATION OR WARRANTY AND ACCEPTS NO LIABILITY FOR ANY ACTION OR FAILURE TO ACT TAKEN IN RESPONSE TO THE INFORMATION CONTAINED OR REFERENCED IN THIS REPORT.

http://www.accenture.com/

Documents

Threat Ananlysis | Accenture€¦ · Filename: trilog.exe • MD5: 6c39c3f4a08d3d78f2eb973a94bd7718 • SHA-1: dc81f383624955e0c0441734f9f1dabfe03f373c • Size: 21,504 bytes •