Havex

Last updated
Havex
Technical name
AliasesOldrea
Type RAT
Author(s) Energetic Bear
Port(s) used44818, 105 and 502
Operating system(s) affectedWindows, Linux, iOS, Android
Written in PHP

Havex malware, also known as Backdoor.Oldrea, is a Remote Access Trojan (RAT) employed by the Russian attributed APT group "Energetic Bear" or "Dragonfly". [1] [2] Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. These malwares include Stuxnet, BlackEnergy, Industroyer/CRASHOVERRIDE, and TRITON/TRISIS. [3] Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. [1] The campaign targeted victims primarily in the United States and Europe. [2]

Contents

Discovery

The Havex malware was discovered by cybersecurity researchers at F-Secure and Symantec and reported by ICS-CERT utilizing information from both of these firms in 2013. [4] [5] The ICS-CERT Alert reported analyzing a new malware campaign targeting ICS equipment via several attack vectors and using OPC to conduct reconnaissance on industrial equipment on the target network. [2]

Description

The Havex malware has two primary components: A RAT and a C&C server written in PHP. [4] Havex also includes an OPC (Open Platform Communications) scanning module used to search for industrial devices on a network. [2] The OPC scanning module was designed to scan for TCP devices operating on ports 44818, 105 and 502. [6] Researchers at SANS noted these ports are common to ICS/SCADA companies such as Siemens and Rockwell Automation. [6] By abusing the OPC protocol, Havex mapped industrial networks once inside victim systems. [7] Researchers note the OPC scanning module only operated on the older DCOM-based (Distributed Component Object Model) OPC standard and not the more recent OPC Unified Architecture (UA). [2] Havex joins the category of ICS tailored malware because it is written to conduct information gathering on these specific systems. Havex also exploited supply chain and watering-hole attacks on ICS vendor websites in addition to spear phishing campaigns to gain access to victim systems. [5] [6] The watering-hole and supply chain attacks were twofold in methodology. In the first method, victims were redirected from legitimate vendor websites to corrupted pages containing the Havex malware. [1] In the second method, the attackers compromised vulnerable vendor websites and corrupted legitimate software to inject the Havex RAT. Users would then unknowingly download the malware when downloading otherwise legitimate software from vendor websites. [6] This method allowed the malware to bypass traditional security measure because software was downloaded by users with authorization to install programs onto the network. Known compromised vendors were MESA Imaging, eWON/Talk2M, and MB Connect Line. [8] While the attack vectors were aimed at business networks, the lack of robust airgaps in many ICS environments could allow malware like Havex to jump easily from business networks to industrial networks and infect ICS/SCADA equipment. Havex, like other backdoor malwares, also allows for the injection of other malicious code onto victim devices. Specifically, Havex was often used to inject the Karagany payload onto compromised devices. Karagany could steal credentials, take screenshots, and transfer files to and from Dragonfly C&C servers. [6]

Affected Regions & Victims

The Dragonfly group utilized Havex malware in an espionage campaign against energy, aviation. pharmaceutical, defense, and petrochemical victims in primarily the United States and Europe. [1] Cybersecurity researchers at Dragos estimated the campaign targeted over 2,000 sites in these regions and sectors. [9] Researchers at Symantec observed Havex malware began seeking energy infrastructure targets after initially targeting US and Canadian defense and aviation sectors. [10] Through the discovery process, researchers examined 146 C&C servers associated with the Havex campaign and 88 variants of the malware. [11]

Exploit Kits

Website Redirect Injection

Havex infected systems via watering hole attacks redirecting users to malicious websites. [1] Corrupted websites in this campaign used the LightsOut and Hello exploit kits to infect systems with the Havex and Karagany trojans. [10] The LightsOut exploit kit abused Java and browser vulnerabilities to deliver the Havex and Karagany payloads. [10] The Hello exploit kit is an updated version of the LightsOut exploit kit and came into use in 2013. [10] The updated Hello exploit kit uses footprinting to determine target OS versions, fonts, browser add-ons, and other user information. [10] Once this information is gathered, the exploit kit redirects the victim to a malicious URL based on the most efficient exploits to gain access to the target. [10]

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

SCADA is a control system architecture comprising computers, networked data communications and graphical user interfaces for high-level supervision of machines and processes. It also covers sensors and other devices, such as programmable logic controllers, which interface with process plant or machinery.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely from one system, while being displayed on a separate client device. Remote desktop applications have varying features. Some allow attaching to an existing user's session and "remote controlling", either displaying the remote control session or blanking the screen. Taking over a desktop remotely is a form of remote administration.

A zero-day is a vulnerability or security hole in a computer system unknown to its owners, developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or zero-day attack.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

<span class="mw-page-title-main">Malvertising</span> Use of online advertisement or advertising to spread malware

Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."

An exploit kit is a tool used for automatically managing and deploying exploits against a target computer. Exploit kits allow attackers to deliver malware without having advanced knowledge of the exploits being used. Browser exploits are typically used, although they may also include exploits targeting common software, such as Adobe Reader, or the operating system itself. Most kits are written in PHP.

Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events. The term has become established to demonstrate the technological and functional differences between traditional information technology (IT) systems and industrial control systems environment, the so-called "IT in the non-carpeted areas".

<span class="mw-page-title-main">LogicLocker</span> Ransomware worm targeting industrial control systems

LogicLocker, is a cross-vendor ransomware worm that targets Programmable Logic Controllers (PLCs) used in Industrial Control Systems (ICS). First described in a research paper released by the Georgia Institute of Technology, the malware is capable of hijacking multiple PLCs from various popular vendors. The researchers, using a water treatment plant model, were able to demonstrate the ability to display false readings, shut valves and modify Chlorine release to poisonous levels using a Schneider Modicon M241, Schneider Modicon M221 and an Allen Bradley MicroLogix 1400 PLC. The ransomware is designed to bypass weak authentication mechanisms found in various PLCs and lock out legitimate users while planting a logicbomb into the PLC. As of 14 February 2017, it is noted that there are over 1,400 of the same PLCs used in the proof-of-concept attack that were accessible from the internet as found using Shodan.

Numbered Panda is a cyber espionage group believed to be linked with the Chinese military. The group typically targets organizations in East Asia. These organizations include, but are not limited to, media outlets, high-tech companies, and governments. Numbered Panda is believed to have been operating since 2009. However, the group is also credited with a 2012 data breach at the New York Times. One of the group's typical techniques is to send PDF files loaded with malware via spear phishing campaigns. The decoy documents are typically written in traditional Chinese, which is widely used in Taiwan, and the targets are largely associated with Taiwanese interests. Numbered Panda appears to be actively seeking out cybersecurity research relating to the malware they use. After an Arbor Networks report on the group, FireEye noticed a change in the group's techniques to avoid future detection.

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kyiv, the capital, off power for one hour and is considered to have been a large-scale test. The Kyiv incident was the second cyberattack on Ukraine's power grid in two years. The first attack occurred on December 23, 2015. Industroyer is the first ever known malware specifically designed to attack electrical grids. At the same time, it is the fourth malware publicly revealed to target industrial control systems, after Stuxnet, Havex, and BlackEnergy.

BlackEnergy Malware was first reported in 2007 as an HTTP-based toolkit that generated bots to execute distributed denial of service attacks. In 2010, BlackEnergy 2 emerged with capabilities beyond DDoS. In 2014, BlackEnergy 3 came equipped with a variety of plug-ins. A Russian-based group known as Sandworm is attributed with using BlackEnergy targeted attacks. The attack is distributed via a Word document or PowerPoint attachment in an email, luring victims into clicking the seemingly legitimate file.

VPNFilter is malware designed to infect routers and certain network attached storage devices. As of 24 May 2018, it is estimated to have infected approximately 500,000 routers worldwide, though the number of at-risk devices is larger. It can steal data, contains a "kill switch" designed to disable the infected router on command, and is able to persist should the user reboot the router. The FBI believes that it was created by the Russian Fancy Bear group. In February 2022, the CISA announced that a new malware called Cyclops Blink produced by Sandworm had replaced VPNFilter.

Pipedream is a software framework for malicious code targeting programmable logic controllers (PLCs) and industrial control systems (ICS). First publicly disclosed in 2022, it has been described as a "Swiss Army knife" for hacking. It is believed to have been developed by state-level Advanced Persistent Threat actors.

References

  1. 1 2 3 4 5 "Havex". NJCCIC. Retrieved 2018-04-18.
  2. 1 2 3 4 5 "ICS Focused Malware | ICS-CERT". ics-cert.us-cert.gov. Retrieved 2018-04-18.
  3. "Attackers Deploy New ICS Attack Framework "TRITON" and Cause Operational Disruption to Critical Infrastructure | FireEye" . Retrieved 2018-05-14.
  4. 1 2 "ICS Focused Malware (Update A) | ICS-CERT". ics-cert.us-cert.gov. Retrieved 2018-04-18.
  5. 1 2 "Cyber espionage campaign based on Havex RAT hit ICS/SCADA systems". Security Affairs. 2013-06-25. Retrieved 2018-04-18.
  6. 1 2 3 4 5 Nelson, Nell (18 January 2016). "The Impact of Dragonfly Malware on Industrial Control Systems". SANS Institute.
  7. "CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations" (PDF).
  8. "Full Disclosure of Havex Trojans - NETRESEC Blog". Netresec. 27 October 2014. Retrieved 2018-04-15.
  9. "CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations" (PDF).
  10. 1 2 3 4 5 6 "Dragonfly: Cyberespionage Attacks Against Energy Suppliers" (PDF). 7 July 2014. Archived from the original (PDF) on August 1, 2014.
  11. "Attackers Using Havex RAT Against Industrial Control Systems | SecurityWeek.Com". www.securityweek.com. Retrieved 2018-04-18.