HOME

TheInfoList



Click Here for Items Related To - Havex
OR:
Havex on:   [Wikipedia]   [Google]   [Amazon]

Havex malware, also known as Backdoor.Oldrea, is a
RAT Rats are various medium-sized, long-tailed rodents. Species of rats are found throughout the order Rodentia, but stereotypical rats are found in the genus ''Rattus''. Other rat genera include ''Neotoma'' ( pack rats), ''Bandicota'' (bandicoot ...
employed by the Russian attributed APT group “
Energetic Bear Berserk Bear (aka Crouching Yeti, Dragonfly, Dragonfly 2.0, DYMALLOY, Energetic Bear, Havex, IRON LIBERTY, Koala, or TeamSpy) is a Russian cyber espionage group, sometimes known as an advanced persistent threat. According to the United States, the ...
” or “Dragonfly." Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. These malwares include
Stuxnet Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition ( SCADA) systems and is believed to be responsible for causing su ...
,
BlackEnergy BlackEnergy Malware was first reported in 2007 as an HTTP-based toolkit that generated bots to execute distributed denial of service attacks. In 2010, BlackEnergy 2 emerged with capabilities beyond DDoS. In 2014, BlackEnergy 3 came equipped with a v ...
, Industroyer/CRASHOVERRIDE, and TRITON/TRISIS. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.


Discovery

The Havex malware was discovered by cybersecurity researchers at
F-Secure F-Secure Corporation is a global cyber security and privacy company, which has its headquarters in Helsinki, Finland. The company has offices in Denmark, Finland, France, Germany, India, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Sweden, ...
and Symantec and reported by
ICS-CERT The United States Computer Emergency Readiness Team (US-CERT) is an organization within the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Specifically, US-CERT is a branch of the Office of C ...
utilizing information from both of these firms in 2013. The ICS-CERT Alert reported analyzing a new malware campaign targeting ICS equipment via several attack vectors and using OPC to conduct reconnaissance on industrial equipment on the target network.


Description

The Havex malware has two primary components: A RAT and a C&C server written in PHP. Havex also includes an OPC (
Open Platform Communications Open Platform Communications (OPC) is a series of standards and specifications for industrial telecommunication. They are based on Object Linking and Embedding (OLE) for process control. An industrial automation task force developed the original ...
) scanning module used to search for industrial devices on a network. The OPC scanning module was designed to scan for TCP devices operating on ports 44818, 105 and 502. Researchers at SANS noted these ports are common to ICS/SCADA companies such as Siemens and Rockwell Automation. By abusing the OPC protocol, Havex mapped industrial networks once inside victim systems. Researchers note the OPC scanning module only operated on the older DCOM-based (Distributed Component Object Model) OPC standard and not the more recent OPC Unified Architecture (UA). Havex joins the category of ICS tailored malware because it is written to conduct information gathering on these specific systems. Havex also exploited supply chain and watering-hole attacks on ICS vendor websites in addition to spear phishing campaigns to gain access to victim systems. The watering-hole and supply chain attacks were twofold in methodology. In the first method, victims were redirected from legitimate vendor websites to corrupted pages containing the Havex malware. In the second method, the attackers compromised vulnerable vendor websites and corrupted legitimate software to inject the Havex RAT. Users would then unknowingly download the malware when downloading otherwise legitimate software from vendor websites. This method allowed the malware to bypass traditional security measure because software was downloaded by users with authorization to install programs onto the network. Known compromised vendors were MESA Imaging, eWON/Talk2M, and MB Connect Line. While the attack vectors were aimed at business networks, the lack of robust airgaps in many ICS environments could allow malware like Havex to jump easily from business networks to industrial networks and infect ICS/SCADA equipment. Havex, like other backdoor malwares, also allows for the injection of other malicious code onto victim devices. Specifically, Havex was often used to inject the Karagany payload onto compromised devices. Karagany could steal credentials, take screenshots, and transfer files to and from Dragonfly C&C servers.


Affected Regions & Victims

The Dragonfly group utilized Havex malware in an espionage campaign against energy, aviation. pharmaceutical, defense, and petrochemical victims in primarily the United States and Europe. Cybersecurity researchers at Dragos estimated the campaign targeted over 2,000 sites in these regions and sectors. Researchers at Symantec observed Havex malware began seeking energy infrastructure targets after initially targeting US and Canadian defense and aviation sectors. Through the discovery process, researchers examined 146 C&C servers associated with the Havex campaign and 88 variants of the malware.


Exploit Kits


Website Redirect Injection

Havex infected systems via watering hole attacks redirecting users to malicious websites. Corrupted websites in this campaign used the LightsOut and Hello exploit kits to infect systems with the Havex and Karagany trojans. The LightsOut exploit kit abused Java and browser vulnerabilities to deliver the Havex and Karagany payloads. The Hello exploit kit is an updated version of the LightsOut exploit kit and came into use in 2013. The updated Hello exploit kit uses
footprinting Footprinting (also known as reconnaissance) is the technique used for gathering information about computer systems and the entities they belong to. To get this information, a hacker might use various tools and technologies. This information is v ...
to determine target OS versions, fonts, browser add-ons, and other user information. Once this information is gathered, the exploit kit redirects the victim to a malicious
URL A Uniform Resource Locator (URL), colloquially termed as a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identifie ...
based on the most efficient exploits to gain access to the target.


References

{{Hacking in the 2010s Windows trojans Cyberattacks on energy sector Malware targeting industrial control systems