CINXE.COM
News from the Lab Archive : January 2004 to September 2015
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html;charset=iso-8859-1"> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Cache-Control" CONTENT="no-cache"> <title>News from the Lab Archive : January 2004 to September 2015</title> <meta name="description" content="The original antivirus blog."> <meta name="keywords" content="F-Secure Labs"> <link rel="stylesheet" href="main.css" type="text/css" media="screen"> <link rel="SHORTCUT ICON" href="https://www.f-secure.com/theme/images/favicon.ico"> </head> <body> <div id="besure"></div> <div id="bodyWrapper"> <table id="mainTable" border="0" cellpadding="0" cellspacing="0"> <tbody> <tr> <td id="logo" valign="top"> <div id="logo" style="border-left:1px solid #d5d5d5; border-top:1px solid #d5d5d5; width:780px; height:197px;"><a href="https://www.f-secure.com/labs"><img width="780" height="197" src="FSecureLabs.png" border="0" alt="F-Secure Labs"></a></div> </td> </tr> <tr> <td id="mainContentContainer" valign="top"> <div id="mod"> <table id="modTable" cellpadding="0" cellspacing="0"> <tbody> <tr> <td class="modSectionTd"> <div class="modSubHeaderBg"><table width="100%"><tbody><td style="text-align:left; font-size: 0.8em; width:5%;"><a href='https://www.f-secure.com/weblog/archives/00002717' onmouseout='window.status=\'';return true' onmouseover='window.status=\'06/16/14: Necurs - Rootkit For Hire\';return true' style='color: white; font-family: courier, verdana;' target='_top'><<<</a></td><td style="width:90%;"><center>NEWS FROM THE LAB - Monday, June 23, 2014</center></td><td style="text-align:right; font-size: 0.8em; width:5%;"><a href='https://www.f-secure.com/weblog/archives/00002719' onmouseout='window.status=\'';return true' onmouseover='window.status=\'06/26/14: You Are Responsible For Your Security And Privacy\';return true' style='color: white; font-family: courier, verdana;' target='_top'>>>></a></td></tbody></table></div> <div> </div> <div><center><b><a href="https://www.f-secure.com/weblog/archives/">ARCHIVES</a> | <a href="https://www.bing.com/search?q=site:f-secure.com/weblog">SEARCH</a></b></center></div> <div><hr></div> <div> </div> <div class="modSectionTd2"><a name="00002718"></a><table width="100%" cellpadding="1" cellspacing="0" border="0"><tbody> <tr> <td style="text-align:left; font-size:12px; width:60%;"><a href='https://www.f-secure.com/weblog/archives/00002718'><b>Havex Hunts For ICS/SCADA Systems</b></a></td> <td style="text-align:right; font-size:12px; width:40%;">Posted by Daavid @ 14:46 GMT</td></tr><tr><td colspan="2"><hr style="border:none; border-top: 1px solid #dddddd; border-bottom: 1px solid #ffffff;"></td></tr></tbody></table><p align="justify"><span class="rss:item">During the past year, we've been keeping a close eye on the Havex malware family and the group behind it. Havex is known to be used in targeted attacks against different industry sectors, and it was <a href="https://www.crowdstrike.com/sites/all/themes/crowdstrike2/css/imgs/platform/CrowdStrike_Global_Threat_Report_2013.pdf">earlier reported</a> to have specific interest in the energy sector. <br /><br />The main components of Havex are a general purpose Remote Access Trojan (RAT) and a server written in PHP. The name "Havex" is clearly visible in the server source code:<br /><br /><img border="0" src="https://www.f-secure.com/weblog/archives/cnc5.png" alt="Havex server source code"/><br /><br />During the spring of 2014, we noticed that Havex took a specific interest in Industrial Control Systems (ICS) and the group behind it uses an innovative trojan horse approach to compromise victims. The attackers have trojanized software available for download from ICS/SCADA manufacturer websites in an attempt to infect the computers where the software is installed to.<br /><br />We gathered and analyzed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of 146 command and control (C&C) servers contacted by the variants, which in turn involved tracing around 1500 IP addresses in an attempt to identify victims. <br /><br />The attackers use compromised websites, mainly blogs, as C&C servers. Here are some examples of command and control servers used:<br /><br /><img border="0" src="https://www.f-secure.com/weblog/archives/cnc_list.png" alt="Havex C2 servers"/><br /><br />We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations. The source of this motivation is unclear to us.<br /><br /><b>Trojanized Software as an Infection Vector</b><br /><br />The Havex RAT is distributed at least through following channels:<br /><ul><br /><li>Spam email<br /><li>Exploit kits<br /><li>Trojanized installers planted on compromised vendor sites<br /></ul><br />The spam and exploit kit channels are fairly straightforward distribution mechanisms and we won't analyze them in more detail here.<br /><br />Of more interest is the third channel, which could be considered a form of "watering-hole attack", as the attackers chose to compromise an intermediary target - the ICS vendor site - in order to gain access to the actual targets. <br /><br />It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers.<br /><br />Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet. <br /><br />Based on the content of their websites, all three companies are involved in development of applications and appliances for use in industrial applications. These organizations are based in Germany, Switzerland and Belgium. Two of them are suppliers of remote management software for ICS systems and the third develops high-precision industrial cameras and related software.<br /><br />As an example, we can see the partial results of dynamic analysis for one of the trojanized installers:<br /><br /><img border="0" src="https://www.f-secure.com/weblog/archives/beh_create_700.png" alt="Trojanized installer"/><br /><br />The normal, clean installer does not include a file called "mbcheck.dll". This file is actually the Havex malware. The trojanized software installer will drop and execute this file as a part of the normal installation. The user is left with a working system, but the attacker now has a backdoor to access and control the computer.<br /><br /><b>Target Organizations</b><br /><br />We were able to locate some of the infected systems and identify the organization affected by the samples analyzed in this report by tracing the IP addresses communicating to the C&C servers used by the Havex RAT.<br /><br />All of these entities are associated in some way with the development or use of industrial applications or machines. The majority of the victims are located in Europe, though at the time of writing at least one company in California was also observed sending data to the C&C servers. Of the European-based organizations, two are major educational institutions in France that are known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction company that appears to specialize in structural engineering.<br /><br /><b>ICS/SCADA Sniffer</b><br /><br />Our analysis of Havex sample codes also uncovered its "ICS/SCADA sniffing" behavior. The C&C server will instruct infected computers to download and execute further components, and one of these components appeared very interesting. While analyzing this component, we noticed that it enumerates the local area network and looks for connected resources and servers:<br /><br /><img border="0" src="https://www.f-secure.com/weblog/archives/scan_lan.png" alt="Havex scans LAN"/><br /><br />We then noticed that it uses Microsoft Component Object Model (COM) interfaces (CoInitializeEx, CoCreateInstanceEx) to connect to specific services:<br /><br /><img border="0" src="https://www.f-secure.com/weblog/archives/com_initialization_700.png" alt="Havex calls COM"/><br /><br />To identify which services the sample is interested in, we can simply search for the identifiers seen above, which tell us what kind of interfaces are being used. A bit of googling gives us these names:<br /><ul><br /><li><b>9DD0B56C-AD9E-43EE-8305-487F3188BF7A</b> = IID_IOPCServerList2<br /><li><b>13486D51-4821-11D2-A494-3CB306C10000</b> = CLSID_OPCServerList<br /></ul><br />Note the mention of "OPCServer" in the names. There are more hints pointing in the same direction -- the strings found in the executable also make several references to �OPC�:<br /><br /><img border="0" shttps://www.f-secure.com.com/weblog/archives/havex_opc_strings.png" alt="Havex OPC strings"/><br /><br />It turns out that OPC stands for <a href="https://en.wikipedia.org/wiki/OLE_for_Process_Control">OLE for Process Control</a>, and it's a standard way for Windows applications to interact with process control hardware. Using OPC, the malware component gathers any details about connected devices and sends them back to the C&C for the attackers to analyze. It appears that this component is used as a tool for intelligence gathering. So far, we have not seen any payloads that attempt to control the connected hardware.<br /><br /><b>Summary</b><br /><br />The attackers behind Havex are conducting industrial espionage using a clever method. Trojanizing ICS/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure.<br /><br />The method of using compromised servers as C&C's is typical for this group. The group doesn't always manage the C&C's in a professional manner, revealing lack of experience in operations. We managed to monitor infected computers connecting to the servers and identify victims from several industry sectors.<br /><br />The additional payload used to gather details about ICS/SCADA hardware connected to infected devices shows the attackers have direct interest in controlling such environments. This is a pattern that is not commonly observed today.<br /><br />SHA-1 hashes of the samples discussed:<br /><br />7f249736efc0c31c44e96fb72c1efcc028857ac7 <br />1c90ecf995a70af8f1d15e9c355b075b4800b4de<br />db8ed2922ba5f81a4d25edb7331ea8c0f0f349ae<br />efe9462bfa3564fe031b5ff0f2e4f8db8ef22882<br /><br />F-Secure detects this threat as <b>Backdoor:W32/Havex.A</b>.<br /><br />Post by — <a href="https://twitter.com/daavidhentunen">Daavid</a> and <a href="https://twitter.com/anttitikkanen">Antti</a></span><br><br><br><br><br></p></div> </td> </tr> </tbody> </table> </div> </td> </tr> </tbody> </table> </div> </body> </html>