This updated malware analysis report, MAR-17-352-01 HatMan - Safety System Targeted Malware (Update B), is a follow-up to the previously updated malware analysis report titled MAR-17-352-01 HatMan - Safety System Targeted Malware (Update A) that was published April 10, 2018, on the ICS-CERT website. This updated report includes an updated YARA signature to identify a custom, Windows-based remote deployment tool that threat actors may have used.
The HatMan malware, also known as TRITON and TRISIS, affects Triconex Tricon safety controllers by modifying in-memory firmware to add additional programming. The extra functionality allows an attacker to read/modify memory contents and execute arbitrary code on demand through receiving specially-crafted network packets. HatMan consists of two pieces: a PC-based component to communicate with the safety controller and a malicious binary component that is downloaded to the controller. Safety controllers are used in a large number of environments, and the capacity to disable, inhibit, or modify the ability of a process to fail safely could result in physical consequences. This report discusses the components and capabilities of the malware and some potential mitigations.