Havex

Havex malware, also known as Backdoor.Oldrea, is a Remote Access Trojan (RAT) employed by the Russian attributed APT group "Energetic Bear" or "Dragonfly". Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. These malwares include Stuxnet, BlackEnergy, Industroyer/CRASHOVERRIDE, and TRITON/TRISIS. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.

Discovery
The Havex malware was discovered by cybersecurity researchers at F-Secure and Symantec and reported by ICS-CERT utilizing information from both of these firms in 2013. The ICS-CERT Alert reported analyzing a new malware campaign targeting ICS equipment via several attack vectors and using OPC to conduct reconnaissance on industrial equipment on the target network.

Description
The Havex malware has two primary components: A RAT and a C&C server written in PHP. Havex also includes an OPC (Open Platform Communications) scanning module used to search for industrial devices on a network. The OPC scanning module was designed to scan for TCP devices operating on ports 44818, 105 and 502. Researchers at SANS noted these ports are common to ICS/SCADA companies such as Siemens and Rockwell Automation. By abusing the OPC protocol, Havex mapped industrial networks once inside victim systems. Researchers note the OPC scanning module only operated on the older DCOM-based (Distributed Component Object Model) OPC standard and not the more recent OPC Unified Architecture (UA). Havex joins the category of ICS tailored malware because it is written to conduct information gathering on these specific systems. Havex also exploited supply chain and watering-hole attacks on ICS vendor websites in addition to spear phishing campaigns to gain access to victim systems. The watering-hole and supply chain attacks were twofold in methodology. In the first method, victims were redirected from legitimate vendor websites to corrupted pages containing the Havex malware. In the second method, the attackers compromised vulnerable vendor websites and corrupted legitimate software to inject the Havex RAT. Users would then unknowingly download the malware when downloading otherwise legitimate software from vendor websites. This method allowed the malware to bypass traditional security measure because software was downloaded by users with authorization to install programs onto the network. Known compromised vendors were MESA Imaging, eWON/Talk2M, and MB Connect Line. While the attack vectors were aimed at business networks, the lack of robust airgaps in many ICS environments could allow malware like Havex to jump easily from business networks to industrial networks and infect ICS/SCADA equipment. Havex, like other backdoor malwares, also allows for the injection of other malicious code onto victim devices. Specifically, Havex was often used to inject the Karagany payload onto compromised devices. Karagany could steal credentials, take screenshots, and transfer files to and from Dragonfly C&C servers.

Affected Regions & Victims
The Dragonfly group utilized Havex malware in an espionage campaign against energy, aviation. pharmaceutical, defense, and petrochemical victims in primarily the United States and Europe. Cybersecurity researchers at Dragos estimated the campaign targeted over 2,000 sites in these regions and sectors. Researchers at Symantec observed Havex malware began seeking energy infrastructure targets after initially targeting US and Canadian defense and aviation sectors. Through the discovery process, researchers examined 146 C&C servers associated with the Havex campaign and 88 variants of the malware.

Website Redirect Injection
Havex infected systems via watering hole attacks redirecting users to malicious websites. Corrupted websites in this campaign used the LightsOut and Hello exploit kits to infect systems with the Havex and Karagany trojans. The LightsOut exploit kit abused Java and browser vulnerabilities to deliver the Havex and Karagany payloads. The Hello exploit kit is an updated version of the LightsOut exploit kit and came into use in 2013. The updated Hello exploit kit uses footprinting to determine target OS versions, fonts, browser add-ons, and other user information. Once this information is gathered, the exploit kit redirects the victim to a malicious URL based on the most efficient exploits to gain access to the target.