Second Triton/Trisis critical infrastructure attack spotted
April 10, 2019
Renaming their files to make them look like legitimate files. For example: KB77846376.exe, which is named after Microsoft update files.
Using standard tools that would mimic legitimate administrator activities. This included heavy use of RDP and PsExec/WinRM.
Relying on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.
Using multiple staging folders and opting to use directories that were used infrequently by legitimate users or processes.
Renaming their tools' filenames in the staging folder so that it would not be possible to identify the malware's purpose, even after it was deleted from the disk through the residual artifacts (e.g., ShimCache entries or WMI Recently Used Apps).
Using timestamping to modify the $STANDARD_INFORMATION attribute of the attack tools.