SYMBOLCOMMON_NAMEaka. SYNONYMS
win.havex_rat (Back to overview)

Havex RAT

Actor(s): Energetic Bear


Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as "Dragonfly" and "Energetic Bear". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.

Once installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.

Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.

References
2022-03-24CISAUS-CERT
@online{uscert:20220324:alert:03a7f21, author = {US-CERT}, title = {{Alert (AA22-083A) Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector}}, date = {2022-03-24}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-083a}, language = {English}, urldate = {2022-03-25} } Alert (AA22-083A) Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector
Havex RAT Triton
2021-06-24GigamonJoe Slowik
@techreport{slowik:20210624:baffling:d37b293, author = {Joe Slowik}, title = {{The Baffling Berserk Bear: A Decade's Activity targeting Critical Infrastructure}}, date = {2021-06-24}, institution = {Gigamon}, url = {https://vblocalhost.com/uploads/VB2021-Slowik.pdf}, language = {English}, urldate = {2021-10-26} } The Baffling Berserk Bear: A Decade's Activity targeting Critical Infrastructure
Havex RAT Heriplor Karagany
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-04Stranded on Pylos BlogJoe Slowik
@online{slowik:20201104:enigmatic:c2d7b4e, author = {Joe Slowik}, title = {{The Enigmatic Energetic Bear}}, date = {2020-11-04}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/}, language = {English}, urldate = {2020-11-06} } The Enigmatic Energetic Bear
EternalPetya Havex RAT
2020SecurityWeekSecureWorks
@online{secureworks:2020:iron:fc4ff3c, author = {SecureWorks}, title = {{IRON LIBERTY}}, date = {2020}, organization = {SecurityWeek}, url = {https://www.secureworks.com/research/threat-profiles/iron-liberty}, language = {English}, urldate = {2020-05-23} } IRON LIBERTY
Havex RAT Karagany
2014-06-23F-SecureDaavid
@online{daavid:20140623:havex:21f2ca4, author = {Daavid}, title = {{Havex Hunts For ICS/SCADA Systems}}, date = {2014-06-23}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002718.html}, language = {English}, urldate = {2020-01-09} } Havex Hunts For ICS/SCADA Systems
Havex RAT
Yara Rules
[TLP:WHITE] win_havex_rat_auto (20221125 | Detects win.havex_rat.)
rule win_havex_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.havex_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7516 68???????? 8d4dd4 e8???????? c745fc01000000 eb9e 3bf8 }
            // n = 7, score = 100
            //   7516                 | jne                 0x18
            //   68????????           |                     
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   e8????????           |                     
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1
            //   eb9e                 | jmp                 0xffffffa0
            //   3bf8                 | cmp                 edi, eax

        $sequence_1 = { 5f 5e c9 c20c00 83601400 83601000 c70001234567 }
            // n = 7, score = 100
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c20c00               | ret                 0xc
            //   83601400             | and                 dword ptr [eax + 0x14], 0
            //   83601000             | and                 dword ptr [eax + 0x10], 0
            //   c70001234567         | mov                 dword ptr [eax], 0x67452301

        $sequence_2 = { b301 3ac3 7409 e8???????? eba5 32db 6a00 }
            // n = 7, score = 100
            //   b301                 | mov                 bl, 1
            //   3ac3                 | cmp                 al, bl
            //   7409                 | je                  0xb
            //   e8????????           |                     
            //   eba5                 | jmp                 0xffffffa7
            //   32db                 | xor                 bl, bl
            //   6a00                 | push                0

        $sequence_3 = { c20400 51 83242400 53 83c00c }
            // n = 5, score = 100
            //   c20400               | ret                 4
            //   51                   | push                ecx
            //   83242400             | and                 dword ptr [esp], 0
            //   53                   | push                ebx
            //   83c00c               | add                 eax, 0xc

        $sequence_4 = { ff7598 8bf7 e8???????? 50 8d85e8feffff 50 }
            // n = 6, score = 100
            //   ff7598               | push                dword ptr [ebp - 0x68]
            //   8bf7                 | mov                 esi, edi
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d85e8feffff         | lea                 eax, [ebp - 0x118]
            //   50                   | push                eax

        $sequence_5 = { e8???????? c3 6a1c b8???????? e8???????? 8b450c 83781810 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c3                   | ret                 
            //   6a1c                 | push                0x1c
            //   b8????????           |                     
            //   e8????????           |                     
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   83781810             | cmp                 dword ptr [eax + 0x18], 0x10

        $sequence_6 = { 89b5ecf7ffff e8???????? 83c40c 8d85ecf7ffff 50 8d85f0f7ffff 50 }
            // n = 7, score = 100
            //   89b5ecf7ffff         | mov                 dword ptr [ebp - 0x814], esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d85ecf7ffff         | lea                 eax, [ebp - 0x814]
            //   50                   | push                eax
            //   8d85f0f7ffff         | lea                 eax, [ebp - 0x810]
            //   50                   | push                eax

        $sequence_7 = { 8d4dd4 e8???????? 8b45c0 e8???????? c3 8bff 55 }
            // n = 7, score = 100
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   e8????????           |                     
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   e8????????           |                     
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp

        $sequence_8 = { 8b03 83780400 0f8410030000 8b30 0fb636 8b531c 83432008 }
            // n = 7, score = 100
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   83780400             | cmp                 dword ptr [eax + 4], 0
            //   0f8410030000         | je                  0x316
            //   8b30                 | mov                 esi, dword ptr [eax]
            //   0fb636               | movzx               esi, byte ptr [esi]
            //   8b531c               | mov                 edx, dword ptr [ebx + 0x1c]
            //   83432008             | add                 dword ptr [ebx + 0x20], 8

        $sequence_9 = { ff4dd8 75e2 8b8674020000 85c0 7f0a 68b90b0000 e8???????? }
            // n = 7, score = 100
            //   ff4dd8               | dec                 dword ptr [ebp - 0x28]
            //   75e2                 | jne                 0xffffffe4
            //   8b8674020000         | mov                 eax, dword ptr [esi + 0x274]
            //   85c0                 | test                eax, eax
            //   7f0a                 | jg                  0xc
            //   68b90b0000           | push                0xbb9
            //   e8????????           |                     

    condition:
        7 of them and filesize < 892928
}
Download all Yara Rules