Havex: A Deep Dive
Corey ThuenDigital Bond Labs
Havex Overview
What is Havex?
Crouching Yeti / Energetic Bear APT campaign
Unknown origin
Targets Industrial Control Systems
Havex Delivery
Trojanized Software Installers
Spear-phishing attacks
Waterhole attacks
No 0-day exploits
Havex Analysis
Analysis was conducted against the Havex Remote Access Trojan (RAT) that appeared as a trojanized installer for mbconnect
Analysis of Command & Control trafficrequests
Analysis of Downloadable Modules
Havex Analysis
Command and Control Traffic
Havex Analysis
Command and Control Server analysis
C2 server not secured
Directory browsing possible
Fun but not our focus today
OPC Module Deep Dive
What is OPC?
Common bridge for process control systems
Uses Microsoft COM/DCOM
Standard maintained by OPC Foundation consortium
Analysis Environment
Challenges with ICS malware environments:
ICS Equipment may not be virtualizable
Debugging and monitoring may be difficult
OPC Environment
Win2k8 - Matrikon OPC Simulator Server
WinXPsp3 - Malware execution
Win2k8 - Domain controller (to make DCOM easier)
OPC Environment
OPC Module Analysis
OPC Module Analysis
Sample:Sha-1 6aca45bb78452cd78386b8fa78dbdf2dda7fba6cc06482251e2a6820849c9e82
md56bfc42f7cb1364ef0bfd749776ac6d38
Dynamic Analysis
Regshot
Sysinternals - Procmon
DNS & Network Monitor
VMWare + Snapshots
Dynamic Analysis - Regshot
Dynamic Analysis - Procmon
Static Analysis
Strings
CFF Explore
IDA Pro
Resource section analysis
Static Analysis - Strings
Static Analysis - CFF Explore
Static Analysis - IDA
Static Analysis - Resource Section
Decryption & Analysis
OPC Module Code Flow
Code Flow - Decrypt Config File
Code Flow - Create tmp files
Code Flow - Create run log
Code Flow - Find Systems with DCOM
Code Flow - Find Systems with DCOM
OPC uses DCOM for communication
DCOM supports enumeration of connected systems
Step 1 when wanting OPC data is to find available OPC Servers
Code Flow - Enumerate OPC Servers
Code Flow - Enumerate OPC Servers
OPC servers have “tags” that are data points, controls, etc.
OPC tag information is valuable to attackers
Havex uses DCOM to get the list of tags on each OPC server to which it can connect
Code Flow - OPC Output Log
Code Flow - Pack it up for Havex RAT
Summary
1. Havex infects system2. RAT downloads modules from C2 servers3. OPC module scans for local OPC servers including tag lists4. OPC information is packaged up and sent to C2
Conclusions
• Havex is not attempting to hide• No new vulnerabilities or 0-days are used• OPC Information is collected and delivered to C2• No control is attempted
These modules are reconnaissance
For who? For what purpose? Is there a specific target desired?
Recommended