SYMBOLCOMMON_NAMEaka. SYNONYMS
win.havex_rat (Back to overview)

Havex RAT

Actor(s): Energetic Bear


Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as "Dragonfly" and "Energetic Bear". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.

Once installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.

Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.

References
2021-06-24GigamonJoe Slowik
@techreport{slowik:20210624:baffling:d37b293, author = {Joe Slowik}, title = {{The Baffling Berserk Bear: A Decade's Activity targeting Critical Infrastructure}}, date = {2021-06-24}, institution = {Gigamon}, url = {https://vblocalhost.com/uploads/VB2021-Slowik.pdf}, language = {English}, urldate = {2021-10-26} } The Baffling Berserk Bear: A Decade's Activity targeting Critical Infrastructure
Havex RAT Heriplor Karagany
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-04Stranded on Pylos BlogJoe Slowik
@online{slowik:20201104:enigmatic:c2d7b4e, author = {Joe Slowik}, title = {{The Enigmatic Energetic Bear}}, date = {2020-11-04}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/}, language = {English}, urldate = {2020-11-06} } The Enigmatic Energetic Bear
EternalPetya Havex RAT
2020SecurityWeekSecureWorks
@online{secureworks:2020:iron:fc4ff3c, author = {SecureWorks}, title = {{IRON LIBERTY}}, date = {2020}, organization = {SecurityWeek}, url = {https://www.secureworks.com/research/threat-profiles/iron-liberty}, language = {English}, urldate = {2020-05-23} } IRON LIBERTY
Havex RAT Karagany
2014-06-23F-SecureDaavid
@online{daavid:20140623:havex:21f2ca4, author = {Daavid}, title = {{Havex Hunts For ICS/SCADA Systems}}, date = {2014-06-23}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002718.html}, language = {English}, urldate = {2020-01-09} } Havex Hunts For ICS/SCADA Systems
Havex RAT
Yara Rules
[TLP:WHITE] win_havex_rat_auto (20211008 | Detects win.havex_rat.)
rule win_havex_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.havex_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4804 e9???????? c3 55 8bec 51 56 }
            // n = 7, score = 100
            //   8d4804               | lea                 ecx, dword ptr [eax + 4]
            //   e9????????           |                     
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   56                   | push                esi

        $sequence_1 = { 8b4610 2b460c 6a1c 99 59 f7f9 85c0 }
            // n = 7, score = 100
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   2b460c               | sub                 eax, dword ptr [esi + 0xc]
            //   6a1c                 | push                0x1c
            //   99                   | cdq                 
            //   59                   | pop                 ecx
            //   f7f9                 | idiv                ecx
            //   85c0                 | test                eax, eax

        $sequence_2 = { 6a01 8d8dac000000 e8???????? 8d4d00 e8???????? 53 6a01 }
            // n = 7, score = 100
            //   6a01                 | push                1
            //   8d8dac000000         | lea                 ecx, dword ptr [ebp + 0xac]
            //   e8????????           |                     
            //   8d4d00               | lea                 ecx, dword ptr [ebp]
            //   e8????????           |                     
            //   53                   | push                ebx
            //   6a01                 | push                1

        $sequence_3 = { 8b750c 8bd8 e8???????? 8b7510 8945ec e8???????? 8b7514 }
            // n = 7, score = 100
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   e8????????           |                     
            //   8b7514               | mov                 esi, dword ptr [ebp + 0x14]

        $sequence_4 = { e8???????? 8db718010000 e8???????? 8d75e8 e8???????? eba0 8d45cc }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8db718010000         | lea                 esi, dword ptr [edi + 0x118]
            //   e8????????           |                     
            //   8d75e8               | lea                 esi, dword ptr [ebp - 0x18]
            //   e8????????           |                     
            //   eba0                 | jmp                 0xffffffa2
            //   8d45cc               | lea                 eax, dword ptr [ebp - 0x34]

        $sequence_5 = { 8975d0 895df0 e8???????? 33ff 895dfc 47 68???????? }
            // n = 7, score = 100
            //   8975d0               | mov                 dword ptr [ebp - 0x30], esi
            //   895df0               | mov                 dword ptr [ebp - 0x10], ebx
            //   e8????????           |                     
            //   33ff                 | xor                 edi, edi
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   47                   | inc                 edi
            //   68????????           |                     

        $sequence_6 = { 83c040 50 e8???????? 33ff 83c410 397dd0 7e20 }
            // n = 7, score = 100
            //   83c040               | add                 eax, 0x40
            //   50                   | push                eax
            //   e8????????           |                     
            //   33ff                 | xor                 edi, edi
            //   83c410               | add                 esp, 0x10
            //   397dd0               | cmp                 dword ptr [ebp - 0x30], edi
            //   7e20                 | jle                 0x22

        $sequence_7 = { eb38 7336 8d75e8 e8???????? 8b5f0c 8d75e0 e8???????? }
            // n = 7, score = 100
            //   eb38                 | jmp                 0x3a
            //   7336                 | jae                 0x38
            //   8d75e8               | lea                 esi, dword ptr [ebp - 0x18]
            //   e8????????           |                     
            //   8b5f0c               | mov                 ebx, dword ptr [edi + 0xc]
            //   8d75e0               | lea                 esi, dword ptr [ebp - 0x20]
            //   e8????????           |                     

        $sequence_8 = { eb30 3d58020000 7d09 c745d003000000 eb20 3db0040000 }
            // n = 6, score = 100
            //   eb30                 | jmp                 0x32
            //   3d58020000           | cmp                 eax, 0x258
            //   7d09                 | jge                 0xb
            //   c745d003000000       | mov                 dword ptr [ebp - 0x30], 3
            //   eb20                 | jmp                 0x22
            //   3db0040000           | cmp                 eax, 0x4b0

        $sequence_9 = { 894628 8b4f2c 33d2 894e2c 6aff 8d4e30 8d4730 }
            // n = 7, score = 100
            //   894628               | mov                 dword ptr [esi + 0x28], eax
            //   8b4f2c               | mov                 ecx, dword ptr [edi + 0x2c]
            //   33d2                 | xor                 edx, edx
            //   894e2c               | mov                 dword ptr [esi + 0x2c], ecx
            //   6aff                 | push                -1
            //   8d4e30               | lea                 ecx, dword ptr [esi + 0x30]
            //   8d4730               | lea                 eax, dword ptr [edi + 0x30]

    condition:
        7 of them and filesize < 892928
}
Download all Yara Rules