During the past year, we've been keeping a close eye on the Havex malware family and the group behind it. Havex is known to be used in targeted attacks against different industry sectors, and it was earlier reported to have specific interest in the energy sector.
The main components of Havex are a general purpose Remote Access Trojan (RAT) and a server written in PHP. The name "Havex" is clearly visible in the server source code:
During the spring of 2014, we noticed that Havex took a specific interest in Industrial Control Systems (ICS) and the group behind it uses an innovative trojan horse approach to compromise victims. The attackers have trojanized software available for download from ICS/SCADA manufacturer websites in an attempt to infect the computers where the software is installed to.
We gathered and analyzed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of 146 command and control (C&C) servers contacted by the variants, which in turn involved tracing around 1500 IP addresses in an attempt to identify victims.
The attackers use compromised websites, mainly blogs, as C&C servers. Here are some examples of command and control servers used:
We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations. The source of this motivation is unclear to us.
Trojanized Software as an Infection Vector
The Havex RAT is distributed at least through following channels:
Trojanized installers planted on compromised vendor sites
The spam and exploit kit channels are fairly straightforward distribution mechanisms and we won't analyze them in more detail here.
Of more interest is the third channel, which could be considered a form of "watering-hole attack", as the attackers chose to compromise an intermediary target - the ICS vendor site - in order to gain access to the actual targets.
It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers.
Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet.
Based on the content of their websites, all three companies are involved in development of applications and appliances for use in industrial applications. These organizations are based in Germany, Switzerland and Belgium. Two of them are suppliers of remote management software for ICS systems and the third develops high-precision industrial cameras and related software.
As an example, we can see the partial results of dynamic analysis for one of the trojanized installers:
The normal, clean installer does not include a file called "mbcheck.dll". This file is actually the Havex malware. The trojanized software installer will drop and execute this file as a part of the normal installation. The user is left with a working system, but the attacker now has a backdoor to access and control the computer.
We were able to locate some of the infected systems and identify the organization affected by the samples analyzed in this report by tracing the IP addresses communicating to the C&C servers used by the Havex RAT.
All of these entities are associated in some way with the development or use of industrial applications or machines. The majority of the victims are located in Europe, though at the time of writing at least one company in California was also observed sending data to the C&C servers. Of the European-based organizations, two are major educational institutions in France that are known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction company that appears to specialize in structural engineering.
Our analysis of Havex sample codes also uncovered its "ICS/SCADA sniffing" behavior. The C&C server will instruct infected computers to download and execute further components, and one of these components appeared very interesting. While analyzing this component, we noticed that it enumerates the local area network and looks for connected resources and servers:
We then noticed that it uses Microsoft Component Object Model (COM) interfaces (CoInitializeEx, CoCreateInstanceEx) to connect to specific services:
To identify which services the sample is interested in, we can simply search for the identifiers seen above, which tell us what kind of interfaces are being used. A bit of googling gives us these names:
Note the mention of "OPCServer" in the names. There are more hints pointing in the same direction -- the strings found in the executable also make several references to “OPC”:
It turns out that OPC stands for OLE for Process Control, and it's a standard way for Windows applications to interact with process control hardware. Using OPC, the malware component gathers any details about connected devices and sends them back to the C&C for the attackers to analyze. It appears that this component is used as a tool for intelligence gathering. So far, we have not seen any payloads that attempt to control the connected hardware.
The attackers behind Havex are conducting industrial espionage using a clever method. Trojanizing ICS/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure.
The method of using compromised servers as C&C's is typical for this group. The group doesn't always manage the C&C's in a professional manner, revealing lack of experience in operations. We managed to monitor infected computers connecting to the servers and identify victims from several industry sectors.
The additional payload used to gather details about ICS/SCADA hardware connected to infected devices shows the attackers have direct interest in controlling such environments. This is a pattern that is not commonly observed today.