Havex
   HOME

TheInfoList



OR:

Havex malware, also known as Backdoor.Oldrea, is a
Remote Access Trojan In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely from one system (usually a PC, but the concept applies equally to a server or a sma ...
(RAT) employed by the Russian attributed APT group " Energetic Bear" or "Dragonfly". Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. These malwares include
Stuxnet Stuxnet is a Malware, malicious computer worm first uncovered on June 17, 2010, and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsibl ...
, BlackEnergy, Industroyer/CRASHOVERRIDE, and TRITON/TRISIS. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.


Discovery

The Havex malware was discovered by cybersecurity researchers at
F-Secure F-Secure Corporation is a global cyber security and privacy company, which has its headquarters in Helsinki, Finland. The company has offices in Denmark, Finland, France, Germany, India, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Swed ...
and
Symantec Symantec may refer to: * Gen Digital, an American consumer software company formerly known as Symantec * Symantec Security, a brand of enterprise security software purchased by Broadcom Broadcom Inc. is an American multinational corporation, ...
and reported by
ICS-CERT The United States Computer Emergency Readiness Team (US-CERT) was a team under the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security. On February 24, 2023, the Cybersecurity and Infrastructure Security Agen ...
utilizing information from both of these firms in 2013. The ICS-CERT Alert reported analyzing a new malware campaign targeting ICS equipment via several attack vectors and using OPC to conduct reconnaissance on industrial equipment on the target network.


Description

The Havex malware has two primary components: A RAT and a C&C server written in PHP. Havex also includes an OPC (
Open Platform Communications Open Platform Communications (OPC) is a series of standards and specifications for industrial telecommunication. They are based on Object Linking and Embedding (OLE) for process control. An industrial automation task force developed the original s ...
) scanning module used to search for industrial devices on a network. The OPC scanning module was designed to scan for TCP devices operating on ports 44818, 105 and 502. Researchers at SANS noted these ports are common to ICS/SCADA companies such as Siemens and Rockwell Automation. By abusing the OPC protocol, Havex mapped industrial networks once inside victim systems. Researchers note the OPC scanning module only operated on the older DCOM-based (Distributed Component Object Model) OPC standard and not the more recent OPC Unified Architecture (UA). Havex joins the category of ICS tailored malware because it is written to conduct information gathering on these specific systems. Havex also exploited supply chain and watering-hole attacks on ICS vendor websites in addition to spear phishing campaigns to gain access to victim systems. The watering-hole and supply chain attacks were twofold in methodology. In the first method, victims were redirected from legitimate vendor websites to corrupted pages containing the Havex malware. In the second method, the attackers compromised vulnerable vendor websites and corrupted legitimate software to inject the Havex RAT. Users would then unknowingly download the malware when downloading otherwise legitimate software from vendor websites. This method allowed the malware to bypass traditional security measure because software was downloaded by users with authorization to install programs onto the network. Known compromised vendors were MESA Imaging, eWON/Talk2M, and MB Connect Line. While the attack vectors were aimed at business networks, the lack of robust airgaps in many ICS environments could allow malware like Havex to jump easily from business networks to industrial networks and infect ICS/SCADA equipment. Havex, like other backdoor malwares, also allows for the injection of other malicious code onto victim devices. Specifically, Havex was often used to inject the Karagany payload onto compromised devices. Karagany could steal credentials, take screenshots, and transfer files to and from Dragonfly C&C servers.


Affected Regions & Victims

The Dragonfly group utilized Havex malware in an espionage campaign against energy, aviation. pharmaceutical, defense, and petrochemical victims in primarily the United States and Europe. Cybersecurity researchers at Dragos estimated the campaign targeted over 2,000 sites in these regions and sectors. Researchers at
Symantec Symantec may refer to: * Gen Digital, an American consumer software company formerly known as Symantec * Symantec Security, a brand of enterprise security software purchased by Broadcom Broadcom Inc. is an American multinational corporation, ...
observed Havex malware began seeking energy infrastructure targets after initially targeting US and Canadian defense and aviation sectors. Through the discovery process, researchers examined 146 C&C servers associated with the Havex campaign and 88 variants of the malware.


Exploit Kits


Website Redirect Injection

Havex infected systems via watering hole attacks redirecting users to malicious websites. Corrupted websites in this campaign used the LightsOut and Hello exploit kits to infect systems with the Havex and Karagany trojans. The LightsOut exploit kit abused Java and browser vulnerabilities to deliver the Havex and Karagany payloads. The Hello exploit kit is an updated version of the LightsOut exploit kit and came into use in 2013. The updated Hello exploit kit uses
footprinting Footprinting (also known as reconnaissance) is the technique used for gathering information about computer systems and the entities they belong to. To get this information, a hacker might use various tools and technologies. This information is ver ...
to determine target OS versions, fonts, browser add-ons, and other user information. Once this information is gathered, the exploit kit redirects the victim to a malicious
URL A uniform resource locator (URL), colloquially known as an address on the Web, is a reference to a resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identi ...
based on the most efficient exploits to gain access to the target.


References

{{Hacking in the 2010s Windows trojans Cyberattacks on energy sector Malware targeting industrial control systems