Home / malware Havex
First posted on 05 April 2015.
Source: SecurityHomeAliases :
There are no other names known for Havex.
Explanation :
Just like Famous Stuxnet Worm, which was specially designed to sabotage the Iranian nuclear project, the new trojan Havex is also programmed to infect industrial control system softwares of SCADA and ICS systems, with the capability to possibly disable hydroelectric dams, overload nuclear power plants, and even can shut down a countrys power grid with a single keystroke.
According to security firm F-Secure who first discovered it as Backdoor:W32/Havex.A., it is a generic remote access Trojan (RAT) and has recently been used to carry out industrial espionage against a number of companies in Europe that use or develop industrial applications and machines.
TROJANIZED INSTALLERS
To accomplish this, besides traditional infection methods such as exploit kits and spam emails, cybercriminals also used an another effective method to spread Havex RAT, i.e. hacking the websites of software companies and waiting for the targets to install trojanized versions of legitimate apps.
During installation, the trojanized software setup drops a file called "mbcheck.dll", which is actually Havex malware, that attackers are using as a backdoor. "The C&C server will [then] instruct infected computers to download and execute further components,"
INFORMATION GATHERING
Havex RAT is equipped with a new component, whose purpose is to gather network and connected devices information by leveraging the OPC (Open Platform Communications) standard.
OPC is a communications standard that allows interaction between Windows-based SCADA applications and process control hardware. The malware scans the local network for the devices that respond to OPC requests to gather information about industrial control devices and then sends that information back to its command-and-control (C&C) server.
Other than this, it also include information-harvesting tools that gather data from the infected systems, such as:
- Operating system related information
- A Credential-harvesting tool that stole passwords stored on open web browsers
- A component that communicates to different Command-&-Control servers using custom protocols and execute tertiary payloads in memory.
MOTIVATION?
While their motivation is unclear at this point, "We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations." F-Secure noticed.
HAVEX TROJAN FROM RUSSIANS ?
In January this year, Cybersecurity firm CrowdStrike revealed about a cyber espionage campaign, dubbed "Energetic Bear," where hackers possibly tied to Russian Federation penetrating the computer networks of energy companies in Europe, the United States and Asia.
According to CrowdStrike, the Malwares used in those cyber attacks were HAVEX RAT and SYSMain RAT, and possibly HAVEX RAT is itself a newer version of the SYSMain RAT, and both tools have been operated by the attackers since at least 2011.
That means, It is possible that Havex RAT could be somehow linked to Russian hackers or state-sponsored by Russian Government.Last update 05 April 2015