VirusW32/Cosmic.DISR!tr
Analysis
W32/Cosmic.DISR!tr is classified as a trojan.
A trojan is a type of malware that performs activites without the user’s knowledge.
Below are some of its observed characteristics/behaviours:
- W32/Cosmic.DISR!tr is written in C++. It is a disruption tool associated with the COSMICENERGY outbreak. COSMICENERGY is an operational technology/industrial control system oriented malware.
- W32/Cosmic.DISR!tr is utilized by COSMICENERGY, in conjunction with another disruption tool, to target IEC-104-compliant remote terminal units.
- Following are some of the exact file hashes associated with this detection:
- Md5: 7b6678a1c0000344f4faf975c0cfc43d
Sha256: 740e0d2fba550308344b2fb0e5ecfebdd09329bdcfaa909d3357ad4fe5552532
- Md5: 7b6678a1c0000344f4faf975c0cfc43d
Outbreak Alert
A new malware called CosmicEnergy has been discovered that targets operational technology sector. According to the reports, the malware is designed to cause electric power disruption by exploiting IEC 60870-5-104 (IEC-104) protocol, which are commonly used in electric transmission and distribution operations in Europe, the Middle East, and Asia.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| FortiClient | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| Web Application Firewall | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |