Threat Report

Monday June 11th 2018

In this week’s report we are covering two vulnerabilities. One being a recent vulnerability that is targeting Triton ICS deployments. The other is a banking trojan that stealthily uses MSSQL database traffic.

Malware: Triton ICS Malware Developed Using Legitimate Code

Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which use the proprietary TriStation network protocol. The malware leveraged a zero-day vulnerability affecting older versions of the product through a legitimate .dll file. For more information there are a few links below:

Links:

Security Week

Dark reading

Some Mitigation Strategies:

  • Mail Filtration to screen for malicious phishing or targeted email campaigns
  • File Integrity Management looking for the installation of malicious software like Remote Access Trojans (RATS) for functionality and access
  • Intrusion detection systems (IDS) would detect intrusion and network communication
  • Filtering USB ports that are on equipment connected to the ICS systems
  • 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: MnuBot Banking Trojan Stealthily Uses MSSQL Database Traffic

Security researchers from IBM X-Force Research Team have discovered a new banking Trojan named MnuBot. This Delphi-based malware uses the Microsoft SQL Server to communicate with the C&C Server and send commands to infected machines. This evades regular antivirus and malware detection since it uses SQL traffic, unlike common C&C Server communication that happens through web servers or apps. Researchers also indicate that this might be coded by a seasoned hacker. This MnuBot has a two-stage attack. First, it checks if the system is infected already. Second, it deploys the remote access trojan completely (RAT).

Links:

Security Intelligence

Pastebin

Some Mitigation Strategies:

  • Intrusion detection systems (IDS) to monitor for malicious communication and downloads from port 5003
  • File Integrity Management looking for access to registry keys accessed and new keys created
  • Mail Filtration to capture potential files attached to phishing emails
  • 24x7 Security Monitoring with Focused Security Content for solid threat detection

Stephen Coty

Stephen Coty
Contractor
LinkedIn