by RSS Ruchna Nigam  |  Jul 15, 2014  |  Filed in: Security Research

Following a post by F-Secure this June, bringing to light a variant of the Havex malware family targetting ICS/SCADA systems, there has been much speculation regarding the motives behind this malware campaign. That makes it only the second known malware family directly targeting SCADA equipment, after the infamous Stuxnet that reportedly set back Iran's nuclear program by 2 years.

Symantec has called the attackers DragonFly while Crowdstrike refers to them as Energetic Bear in their 2013 Threat Report.

Overall, there are two components of the malware :

• The downloader : that is part of the watering-hole attack i.e. it comes Trojanized as PLC Management software served by compromised ICS vendor sites and contacts the C&C servers and downloads new modules to the infected machine. Kyle Yang's post on the Evolution of the Havex Module Downloader explains the downloader in detail.

• A module : that appears to scan for OPC servers on the local LAN and collects information regarding them.

So, what is an OPC Server?
OPC (OLE for Process Control) is a standard for communication between a Windows Application and Process Control Hardware. In an industrial setup, an OPC Server would ideally be a machine controlling Process Control Hardware such as PLCs.

To add our own two cents, we set up two OPC servers to see the exact information collected by this malware and what it does with this information.

To begin, with, the malware successfully finds a machine on the network and detects our two OPC servers running on it. The figure below shows the information collected by the malware

CollectedData Fig 1 : Data collected by the module after scanning the LAN

This collected data is compressed using bzip, encrypted using RSAEuro and finally saved to a .yls file to the temporary folder on the machine.

This .yls file wasn't sent to the attackers in any of our tests so far, as would be expected from the behavior of previous Havex variants, adding to the uncertainty of the motives behind this attack.

In addition, two files are created in the home directory of the executable - "OPCServer01.txt" and "OPCServer02.txt", one for each OPC Server found on the machine.

The two files contain information regarding these servers, as shown below.

OPCServer01 Fig 2 : OPCServer01.txt

TagCollection Fig 3 : OPC Server Tags alongside the OPCServer02.txt file

Fortinet detects this threat as : W32/Havex.A!tr

Thanks to Kyle Yang and CryptoGirl for their help with the analysis.

by RSS Ruchna Nigam  |  Jul 15, 2014  |  Filed in: Security Research