A component of Trisis Malware has been publicly available since December 2017


Recently, several security companies warned about the online presence of a cyber-weapon component that has been publicly available online since the 22nd of December, 2017. The said component is a file called “Library.zip” and it is the missing piece of a cyber-threat known under the name of “Triton” or “Trisis”.

The Library.zip file was obtained by the Schneider Electric – a global energy-management company, after an investigation of a malware attack was carried out targeting gas and oil refineries located in the Middle East. Once the said file was retrieved by Schneider Electric, it was mistakenly publicly uploaded to the website of VirusTotal (a Spanish security company).

What are the capabilities of this malware

Trisis (or Triton) is considered to be a highly-dangerous cyber-weapon capable of manipulating and causing major malfunction to the Schneider Electric safety equipment at oil and gas refineries and at nuclear power plants. This is one of the few examples of malware capable of causing physical destruction through manipulation of ISC (industrial control systems).

The rest of the code for Trisis has been available to the public since its initial attacks in the Middle East, however, without the Library.exe file, the malware was unfinished. Now, this is no longer the case as, since Schneider Electric uploaded the Library file to VirusTotal, the malware component quickly spread to other web locations. In less than 24 hours, the file was taken down from VirusTotal but this wasn’t enough to prevent it from getting uploaded to other sites.

How serious is the threat?

The implications of having all the different pieces of a malware with such devastating potential freely available out there, on the Internet, where a hacker could easily reach them are, undoubtedly, dire. However, despite the fact that the code for Trisis is currently out there somewhere, this doesn’t really mean that the virus-weapon is complete and ready to attack. Researchers at software security companies such as Dragos and FireEye claim that only a group of highly-skilled hackers would be able to put together the pieces of this malware into a single cyber-weapon that can be effectively used to its full potential. That said, the possibility of this happening is still there and though attempts have been made to keep Library.exe private, it can no longer be guaranteed that it won’t fall into the wrong hands.