SYMBOLCOMMON_NAMEaka. SYNONYMS
win.havex_rat (Back to overview)

Havex RAT

Actor(s): Energetic Bear


Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as "Dragonfly" and "Energetic Bear". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.

Once installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.

Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.

References
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-04Stranded on Pylos BlogJoe Slowik
@online{slowik:20201104:enigmatic:c2d7b4e, author = {Joe Slowik}, title = {{The Enigmatic Energetic Bear}}, date = {2020-11-04}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/}, language = {English}, urldate = {2020-11-06} } The Enigmatic Energetic Bear
EternalPetya Havex RAT
2020SecurityWeekSecureWorks
@online{secureworks:2020:iron:fc4ff3c, author = {SecureWorks}, title = {{IRON LIBERTY}}, date = {2020}, organization = {SecurityWeek}, url = {https://www.secureworks.com/research/threat-profiles/iron-liberty}, language = {English}, urldate = {2020-05-23} } IRON LIBERTY
Havex RAT Karagany
2014-06-23F-SecureDaavid
@online{daavid:20140623:havex:21f2ca4, author = {Daavid}, title = {{Havex Hunts For ICS/SCADA Systems}}, date = {2014-06-23}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002718.html}, language = {English}, urldate = {2020-01-09} } Havex Hunts For ICS/SCADA Systems
Havex RAT
Yara Rules
[TLP:WHITE] win_havex_rat_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_havex_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 8d5d88 8975fc e8???????? 59 57 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   8d5d88               | lea                 ebx, [ebp - 0x78]
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   57                   | push                edi

        $sequence_1 = { 03f8 0fb74514 c1e902 03f9 8b4d08 8d8407d382ffff 8901 }
            // n = 7, score = 100
            //   03f8                 | add                 edi, eax
            //   0fb74514             | movzx               eax, word ptr [ebp + 0x14]
            //   c1e902               | shr                 ecx, 2
            //   03f9                 | add                 edi, ecx
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8d8407d382ffff       | lea                 eax, [edi + eax - 0x7d2d]
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_2 = { c7463c5c1c0510 8bc6 5e c20400 56 8bf1 e8???????? }
            // n = 7, score = 100
            //   c7463c5c1c0510       | mov                 dword ptr [esi + 0x3c], 0x10051c5c
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   c20400               | ret                 4
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     

        $sequence_3 = { e8???????? 3918 7427 e8???????? 8b10 51 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   3918                 | cmp                 dword ptr [eax], ebx
            //   7427                 | je                  0x29
            //   e8????????           |                     
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   51                   | push                ecx

        $sequence_4 = { 33c0 8d7b40 8bca f3ab 6a0f 8955f0 beff0f0000 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   8d7b40               | lea                 edi, [ebx + 0x40]
            //   8bca                 | mov                 ecx, edx
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   6a0f                 | push                0xf
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   beff0f0000           | mov                 esi, 0xfff

        $sequence_5 = { c22000 8b4610 2b460c 6a1c 99 59 f7f9 }
            // n = 7, score = 100
            //   c22000               | ret                 0x20
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   2b460c               | sub                 eax, dword ptr [esi + 0xc]
            //   6a1c                 | push                0x1c
            //   99                   | cdq                 
            //   59                   | pop                 ecx
            //   f7f9                 | idiv                ecx

        $sequence_6 = { e8???????? 59 89442420 c684245801000006 3bc3 7418 8d8c2410010000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   c684245801000006     | mov                 byte ptr [esp + 0x158], 6
            //   3bc3                 | cmp                 eax, ebx
            //   7418                 | je                  0x1a
            //   8d8c2410010000       | lea                 ecx, [esp + 0x110]

        $sequence_7 = { e8???????? 8b06 8d4c2418 51 8d542418 52 8d8c24c0000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8d4c2418             | lea                 ecx, [esp + 0x18]
            //   51                   | push                ecx
            //   8d542418             | lea                 edx, [esp + 0x18]
            //   52                   | push                edx
            //   8d8c24c0000000       | lea                 ecx, [esp + 0xc0]

        $sequence_8 = { 33c0 8b00 8b4d2c 8b7524 8945f0 8b4520 8945f8 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b4d2c               | mov                 ecx, dword ptr [ebp + 0x2c]
            //   8b7524               | mov                 esi, dword ptr [ebp + 0x24]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8b4520               | mov                 eax, dword ptr [ebp + 0x20]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_9 = { 8d4594 50 e8???????? be2c020000 56 6a00 57 }
            // n = 7, score = 100
            //   8d4594               | lea                 eax, [ebp - 0x6c]
            //   50                   | push                eax
            //   e8????????           |                     
            //   be2c020000           | mov                 esi, 0x22c
            //   56                   | push                esi
            //   6a00                 | push                0
            //   57                   | push                edi

    condition:
        7 of them and filesize < 892928
}
Download all Yara Rules