This updated malware analysis report is a follow-up to the original malware analysis report titled MAR-17-352-01 HatMan - Safety System Targeted Malware that was published December 18, 2017, on the NCCIC/ICS-CERT website. This updated malware analysis report, MAR-17-352-01 HatMan - Safety System Targeted Malware (Update A), is a follow up to the orignal.
The HatMan malware, also known as TRITON and TRISIS, affects Triconex Tricon safety controllers by modifying in-memory firmware to add additional programming. The extra functionality allows an attacker to read/modify memory contents and execute arbitrary code on demand through receiving specially-crafted network packets. HatMan consists of two pieces: a PC-based component to communicate with the safety controller and a malicious binary component that is downloaded to the controller. Safety controllers are used in a large number of environments, and the capacity to disable, inhibit, or modify the ability of a process to fail safely could result in physical consequences. This report discusses the components and capabilities of the malware and some potential mitigations.