Threat Report

Monday June 11, 2018

In this week’s report we are covering two vulnerabilities. One being a recent vulnerability that is targeting Triton ICS deployments. The other is a banking trojan that stealthily uses MSSQL database traffic.

Malware: Triton ICS Malware Developed Using Legitimate Code

Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which use the proprietary TriStation network protocol. The malware leveraged a zero-day vulnerability affecting older versions of the product through a legitimate .dll file. For more information there are a few links below:

Links:

Security Week

Dark reading

Some Mitigation Strategies:

Malware: MnuBot Banking Trojan Stealthily Uses MSSQL Database Traffic

Security researchers from IBM X-Force Research Team have discovered a new banking Trojan named MnuBot. This Delphi-based malware uses the Microsoft SQL Server to communicate with the C&C Server and send commands to infected machines. This evades regular antivirus and malware detection since it uses SQL traffic, unlike common C&C Server communication that happens through web servers or apps. Researchers also indicate that this might be coded by a seasoned hacker. This MnuBot has a two-stage attack. First, it checks if the system is infected already. Second, it deploys the remote access trojan completely (RAT).

Links:

Security Intelligence

Pastebin

Some Mitigation Strategies:

Stephen Coty

Stephen Coty
Contractor
LinkedIn