SYMBOLCOMMON_NAMEaka. SYNONYMS
win.havex_rat (Back to overview)

Havex RAT

Actor(s): Energetic Bear


Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as "Dragonfly" and "Energetic Bear". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.

Once installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.

Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.

References
2022-03-24CISAUS-CERT
@online{uscert:20220324:alert:03a7f21, author = {US-CERT}, title = {{Alert (AA22-083A) Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector}}, date = {2022-03-24}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-083a}, language = {English}, urldate = {2022-03-25} } Alert (AA22-083A) Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector
Havex RAT Triton
2021-06-24GigamonJoe Slowik
@techreport{slowik:20210624:baffling:d37b293, author = {Joe Slowik}, title = {{The Baffling Berserk Bear: A Decade's Activity targeting Critical Infrastructure}}, date = {2021-06-24}, institution = {Gigamon}, url = {https://vblocalhost.com/uploads/VB2021-Slowik.pdf}, language = {English}, urldate = {2021-10-26} } The Baffling Berserk Bear: A Decade's Activity targeting Critical Infrastructure
Havex RAT Heriplor Karagany
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-04Stranded on Pylos BlogJoe Slowik
@online{slowik:20201104:enigmatic:c2d7b4e, author = {Joe Slowik}, title = {{The Enigmatic Energetic Bear}}, date = {2020-11-04}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/}, language = {English}, urldate = {2020-11-06} } The Enigmatic Energetic Bear
EternalPetya Havex RAT
2020SecurityWeekSecureWorks
@online{secureworks:2020:iron:fc4ff3c, author = {SecureWorks}, title = {{IRON LIBERTY}}, date = {2020}, organization = {SecurityWeek}, url = {https://www.secureworks.com/research/threat-profiles/iron-liberty}, language = {English}, urldate = {2020-05-23} } IRON LIBERTY
Havex RAT Karagany
2014-06-23F-SecureDaavid
@online{daavid:20140623:havex:21f2ca4, author = {Daavid}, title = {{Havex Hunts For ICS/SCADA Systems}}, date = {2014-06-23}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002718.html}, language = {English}, urldate = {2020-01-09} } Havex Hunts For ICS/SCADA Systems
Havex RAT
Yara Rules
[TLP:WHITE] win_havex_rat_auto (20220516 | Detects win.havex_rat.)
rule win_havex_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.havex_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bc3 e8???????? c20400 85c9 7406 8b01 6a01 }
            // n = 7, score = 100
            //   8bc3                 | mov                 eax, ebx
            //   e8????????           |                     
            //   c20400               | ret                 4
            //   85c9                 | test                ecx, ecx
            //   7406                 | je                  8
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   6a01                 | push                1

        $sequence_1 = { 8bf0 3bf3 742f 68???????? 8d4dc0 e8???????? 8d45c0 }
            // n = 7, score = 100
            //   8bf0                 | mov                 esi, eax
            //   3bf3                 | cmp                 esi, ebx
            //   742f                 | je                  0x31
            //   68????????           |                     
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]
            //   e8????????           |                     
            //   8d45c0               | lea                 eax, [ebp - 0x40]

        $sequence_2 = { 59 40 807b2800 0f840f030000 33d2 3955e8 8dbb48080000 }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   40                   | inc                 eax
            //   807b2800             | cmp                 byte ptr [ebx + 0x28], 0
            //   0f840f030000         | je                  0x315
            //   33d2                 | xor                 edx, edx
            //   3955e8               | cmp                 dword ptr [ebp - 0x18], edx
            //   8dbb48080000         | lea                 edi, [ebx + 0x848]

        $sequence_3 = { 8945f0 898640040000 3b45f4 0f8440feffff 0fb645ff 3b463c 0f8598000000 }
            // n = 7, score = 100
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   898640040000         | mov                 dword ptr [esi + 0x440], eax
            //   3b45f4               | cmp                 eax, dword ptr [ebp - 0xc]
            //   0f8440feffff         | je                  0xfffffe46
            //   0fb645ff             | movzx               eax, byte ptr [ebp - 1]
            //   3b463c               | cmp                 eax, dword ptr [esi + 0x3c]
            //   0f8598000000         | jne                 0x9e

        $sequence_4 = { 55 8bec 83c8ff 33d2 f7f1 83ec10 83f81c }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83c8ff               | or                  eax, 0xffffffff
            //   33d2                 | xor                 edx, edx
            //   f7f1                 | div                 ecx
            //   83ec10               | sub                 esp, 0x10
            //   83f81c               | cmp                 eax, 0x1c

        $sequence_5 = { 837f1808 8b4f14 7205 8b4704 eb03 }
            // n = 5, score = 100
            //   837f1808             | cmp                 dword ptr [edi + 0x18], 8
            //   8b4f14               | mov                 ecx, dword ptr [edi + 0x14]
            //   7205                 | jb                  7
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   eb03                 | jmp                 5

        $sequence_6 = { e8???????? 6a00 6a01 8d4db0 8ad8 e8???????? 8d4dd0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   8d4db0               | lea                 ecx, [ebp - 0x50]
            //   8ad8                 | mov                 bl, al
            //   e8????????           |                     
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]

        $sequence_7 = { 50 e8???????? 83c40c 8365f000 eb7b c743041d000000 eb37 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8365f000             | and                 dword ptr [ebp - 0x10], 0
            //   eb7b                 | jmp                 0x7d
            //   c743041d000000       | mov                 dword ptr [ebx + 4], 0x1d
            //   eb37                 | jmp                 0x39

        $sequence_8 = { 8b4e14 897e38 85c9 751d 8b4e18 8b148db81d0610 }
            // n = 6, score = 100
            //   8b4e14               | mov                 ecx, dword ptr [esi + 0x14]
            //   897e38               | mov                 dword ptr [esi + 0x38], edi
            //   85c9                 | test                ecx, ecx
            //   751d                 | jne                 0x1f
            //   8b4e18               | mov                 ecx, dword ptr [esi + 0x18]
            //   8b148db81d0610       | mov                 edx, dword ptr [ecx*4 + 0x10061db8]

        $sequence_9 = { 50 8d45c4 50 c645fc06 e8???????? 53 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   8d45c4               | lea                 eax, [ebp - 0x3c]
            //   50                   | push                eax
            //   c645fc06             | mov                 byte ptr [ebp - 4], 6
            //   e8????????           |                     
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 892928
}
Download all Yara Rules