Havex: A Deep Dive

Corey ThuenDigital Bond Labs

Havex Overview

What is Havex?

Crouching Yeti / Energetic Bear APT campaign

Unknown origin

Targets Industrial Control Systems

Havex Delivery

Trojanized Software Installers

Spear-phishing attacks

Waterhole attacks

No 0-day exploits

Havex Analysis

Analysis was conducted against the Havex Remote Access Trojan (RAT) that appeared as a trojanized installer for mbconnect

Analysis of Command & Control trafficrequests

Analysis of Downloadable Modules

Havex Analysis

Command and Control Traffic

Havex Analysis

Command and Control Server analysis

C2 server not secured

Directory browsing possible

Fun but not our focus today

OPC Module Deep Dive

What is OPC?

Common bridge for process control systems

Uses Microsoft COM/DCOM

Standard maintained by OPC Foundation consortium

Analysis Environment

Challenges with ICS malware environments:

ICS Equipment may not be virtualizable

Debugging and monitoring may be difficult

OPC Environment

Win2k8 - Matrikon OPC Simulator Server

WinXPsp3 - Malware execution

Win2k8 - Domain controller (to make DCOM easier)

OPC Environment

OPC Module Analysis

OPC Module Analysis

Sample:Sha-1 6aca45bb78452cd78386b8fa78dbdf2dda7fba6cc06482251e2a6820849c9e82

md56bfc42f7cb1364ef0bfd749776ac6d38

Dynamic Analysis

Regshot

Sysinternals - Procmon

DNS & Network Monitor

VMWare + Snapshots

Dynamic Analysis - Regshot

Dynamic Analysis - Procmon

Static Analysis

Strings

CFF Explore

IDA Pro

Resource section analysis

Static Analysis - Strings

Static Analysis - CFF Explore

Static Analysis - IDA

Static Analysis - Resource Section

Decryption & Analysis

OPC Module Code Flow

Code Flow - Decrypt Config File

Code Flow - Create tmp files

Code Flow - Create run log

Code Flow - Find Systems with DCOM

Code Flow - Find Systems with DCOM

OPC uses DCOM for communication

DCOM supports enumeration of connected systems

Step 1 when wanting OPC data is to find available OPC Servers

Code Flow - Enumerate OPC Servers

Code Flow - Enumerate OPC Servers

OPC servers have “tags” that are data points, controls, etc.

OPC tag information is valuable to attackers

Havex uses DCOM to get the list of tags on each OPC server to which it can connect

Code Flow - OPC Output Log

Code Flow - Pack it up for Havex RAT

Summary

1. Havex infects system2. RAT downloads modules from C2 servers3. OPC module scans for local OPC servers including tag lists4. OPC information is packaged up and sent to C2

Conclusions

• Havex is not attempting to hide• No new vulnerabilities or 0-days are used• OPC Information is collected and delivered to C2• No control is attempted

These modules are reconnaissance

For who? For what purpose? Is there a specific target desired?

Questions?

Corey Thuenthuen@digitalbond.com

@CoreyThuen - Twitterplus.google.com/+CoreyThuen