Havex Deep Dive (English)

35
Havex: A Deep Dive Corey Thuen Digital Bond Labs

description

Corey Thuen of Digital Bond Labs describes in technical detail how Havex/Dragonfly enumerated OPC servers. Havex is the second ICS malware ever seen in the wild.

Transcript of Havex Deep Dive (English)

Page 1: Havex Deep Dive (English)

Havex: A Deep Dive

Corey ThuenDigital Bond Labs

Page 2: Havex Deep Dive (English)

Havex Overview

Page 3: Havex Deep Dive (English)

What is Havex?

Crouching Yeti / Energetic Bear APT campaign

Unknown origin

Targets Industrial Control Systems

Page 4: Havex Deep Dive (English)

Havex Delivery

Trojanized Software Installers

Spear-phishing attacks

Waterhole attacks

No 0-day exploits

Page 5: Havex Deep Dive (English)

Havex Analysis

Analysis was conducted against the Havex Remote Access Trojan (RAT) that appeared as a trojanized installer for mbconnect

Analysis of Command & Control trafficrequests

Analysis of Downloadable Modules

Page 6: Havex Deep Dive (English)

Havex Analysis

Command and Control Traffic

Page 7: Havex Deep Dive (English)

Havex Analysis

Command and Control Server analysis

C2 server not secured

Directory browsing possible

Fun but not our focus today

Page 8: Havex Deep Dive (English)

OPC Module Deep Dive

Page 9: Havex Deep Dive (English)

What is OPC?

Common bridge for process control systems

Uses Microsoft COM/DCOM

Standard maintained by OPC Foundation consortium

Page 10: Havex Deep Dive (English)

Analysis Environment

Challenges with ICS malware environments:

ICS Equipment may not be virtualizable

Debugging and monitoring may be difficult

Page 11: Havex Deep Dive (English)

OPC Environment

Win2k8 - Matrikon OPC Simulator Server

WinXPsp3 - Malware execution

Win2k8 - Domain controller (to make DCOM easier)

Page 12: Havex Deep Dive (English)

OPC Environment

Page 13: Havex Deep Dive (English)

OPC Module Analysis

Page 14: Havex Deep Dive (English)

OPC Module Analysis

Sample:Sha-1 6aca45bb78452cd78386b8fa78dbdf2dda7fba6cc06482251e2a6820849c9e82

md56bfc42f7cb1364ef0bfd749776ac6d38

Page 15: Havex Deep Dive (English)

Dynamic Analysis

Regshot

Sysinternals - Procmon

DNS & Network Monitor

VMWare + Snapshots

Page 16: Havex Deep Dive (English)

Dynamic Analysis - Regshot

Page 17: Havex Deep Dive (English)

Dynamic Analysis - Procmon

Page 18: Havex Deep Dive (English)

Static Analysis

Strings

CFF Explore

IDA Pro

Resource section analysis

Page 19: Havex Deep Dive (English)

Static Analysis - Strings

Page 20: Havex Deep Dive (English)

Static Analysis - CFF Explore

Page 21: Havex Deep Dive (English)

Static Analysis - IDA

Page 22: Havex Deep Dive (English)

Static Analysis - Resource Section

Decryption & Analysis

Page 23: Havex Deep Dive (English)

OPC Module Code Flow

Page 24: Havex Deep Dive (English)

Code Flow - Decrypt Config File

Page 25: Havex Deep Dive (English)

Code Flow - Create tmp files

Page 26: Havex Deep Dive (English)

Code Flow - Create run log

Page 27: Havex Deep Dive (English)

Code Flow - Find Systems with DCOM

Page 28: Havex Deep Dive (English)

Code Flow - Find Systems with DCOM

OPC uses DCOM for communication

DCOM supports enumeration of connected systems

Step 1 when wanting OPC data is to find available OPC Servers

Page 29: Havex Deep Dive (English)

Code Flow - Enumerate OPC Servers

Page 30: Havex Deep Dive (English)

Code Flow - Enumerate OPC Servers

OPC servers have “tags” that are data points, controls, etc.

OPC tag information is valuable to attackers

Havex uses DCOM to get the list of tags on each OPC server to which it can connect

Page 31: Havex Deep Dive (English)

Code Flow - OPC Output Log

Page 32: Havex Deep Dive (English)

Code Flow - Pack it up for Havex RAT

Page 33: Havex Deep Dive (English)

Summary

1. Havex infects system2. RAT downloads modules from C2 servers3. OPC module scans for local OPC servers including tag lists4. OPC information is packaged up and sent to C2

Page 34: Havex Deep Dive (English)

Conclusions

• Havex is not attempting to hide• No new vulnerabilities or 0-days are used• OPC Information is collected and delivered to C2• No control is attempted

These modules are reconnaissance

For who? For what purpose? Is there a specific target desired?

Page 35: Havex Deep Dive (English)

Questions?

Corey [email protected]

@CoreyThuen - Twitterplus.google.com/+CoreyThuen