SYMBOLCOMMON_NAMEaka. SYNONYMS
win.havex_rat (Back to overview)

Havex RAT

Actor(s): Energetic Bear


Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as "Dragonfly" and "Energetic Bear". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.

Once installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.

Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.

References
2022-03-24CISAUS-CERT
@online{uscert:20220324:alert:03a7f21, author = {US-CERT}, title = {{Alert (AA22-083A) Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector}}, date = {2022-03-24}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-083a}, language = {English}, urldate = {2022-03-25} } Alert (AA22-083A) Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector
Havex RAT Triton
2021-06-24GigamonJoe Slowik
@techreport{slowik:20210624:baffling:d37b293, author = {Joe Slowik}, title = {{The Baffling Berserk Bear: A Decade's Activity targeting Critical Infrastructure}}, date = {2021-06-24}, institution = {Gigamon}, url = {https://vblocalhost.com/uploads/VB2021-Slowik.pdf}, language = {English}, urldate = {2021-10-26} } The Baffling Berserk Bear: A Decade's Activity targeting Critical Infrastructure
Havex RAT Heriplor Karagany
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-04Stranded on Pylos BlogJoe Slowik
@online{slowik:20201104:enigmatic:c2d7b4e, author = {Joe Slowik}, title = {{The Enigmatic Energetic Bear}}, date = {2020-11-04}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/}, language = {English}, urldate = {2020-11-06} } The Enigmatic Energetic Bear
EternalPetya Havex RAT
2020SecurityWeekSecureWorks
@online{secureworks:2020:iron:fc4ff3c, author = {SecureWorks}, title = {{IRON LIBERTY}}, date = {2020}, organization = {SecurityWeek}, url = {https://www.secureworks.com/research/threat-profiles/iron-liberty}, language = {English}, urldate = {2020-05-23} } IRON LIBERTY
Havex RAT Karagany
2014-06-23F-SecureDaavid
@online{daavid:20140623:havex:21f2ca4, author = {Daavid}, title = {{Havex Hunts For ICS/SCADA Systems}}, date = {2014-06-23}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002718.html}, language = {English}, urldate = {2020-01-09} } Havex Hunts For ICS/SCADA Systems
Havex RAT
Yara Rules
[TLP:WHITE] win_havex_rat_auto (20230125 | Detects win.havex_rat.)
rule win_havex_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.havex_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1e704 03fe 038f94c90000 039798c90000 8b7ddc 0fb77c7b5e 897de0 }
            // n = 7, score = 100
            //   c1e704               | shl                 edi, 4
            //   03fe                 | add                 edi, esi
            //   038f94c90000         | add                 ecx, dword ptr [edi + 0xc994]
            //   039798c90000         | add                 edx, dword ptr [edi + 0xc998]
            //   8b7ddc               | mov                 edi, dword ptr [ebp - 0x24]
            //   0fb77c7b5e           | movzx               edi, word ptr [ebx + edi*2 + 0x5e]
            //   897de0               | mov                 dword ptr [ebp - 0x20], edi

        $sequence_1 = { 5e ff75e4 8b4508 8d8dd8feffff e8???????? 59 5f }
            // n = 7, score = 100
            //   5e                   | pop                 esi
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8d8dd8feffff         | lea                 ecx, [ebp - 0x128]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi

        $sequence_2 = { 8b937c1e0000 8d0413 8a8c387c0e0000 8945f4 884dab 83ff03 767a }
            // n = 7, score = 100
            //   8b937c1e0000         | mov                 edx, dword ptr [ebx + 0x1e7c]
            //   8d0413               | lea                 eax, [ebx + edx]
            //   8a8c387c0e0000       | mov                 cl, byte ptr [eax + edi + 0xe7c]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   884dab               | mov                 byte ptr [ebp - 0x55], cl
            //   83ff03               | cmp                 edi, 3
            //   767a                 | jbe                 0x7c

        $sequence_3 = { 8b74240c 81fe0b010000 0f8f70010000 0f84da000000 81fed4000000 0f87b9040000 0fb686b8150210 }
            // n = 7, score = 100
            //   8b74240c             | mov                 esi, dword ptr [esp + 0xc]
            //   81fe0b010000         | cmp                 esi, 0x10b
            //   0f8f70010000         | jg                  0x176
            //   0f84da000000         | je                  0xe0
            //   81fed4000000         | cmp                 esi, 0xd4
            //   0f87b9040000         | ja                  0x4bf
            //   0fb686b8150210       | movzx               eax, byte ptr [esi + 0x100215b8]

        $sequence_4 = { e8???????? 8365fc00 ff7510 8d4e18 c706???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   8d4e18               | lea                 ecx, [esi + 0x18]
            //   c706????????         |                     

        $sequence_5 = { 6800100000 8d3c00 57 53 ff7508 ff15???????? 8bd8 }
            // n = 7, score = 100
            //   6800100000           | push                0x1000
            //   8d3c00               | lea                 edi, [eax + eax]
            //   57                   | push                edi
            //   53                   | push                ebx
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_6 = { 7704 83661800 ff4e1c 7504 83661800 c3 8b461c }
            // n = 7, score = 100
            //   7704                 | ja                  6
            //   83661800             | and                 dword ptr [esi + 0x18], 0
            //   ff4e1c               | dec                 dword ptr [esi + 0x1c]
            //   7504                 | jne                 6
            //   83661800             | and                 dword ptr [esi + 0x18], 0
            //   c3                   | ret                 
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]

        $sequence_7 = { 8b0c81 8bc6 e8???????? 8b45dc 0fb744433a 0fb60c07 51 }
            // n = 7, score = 100
            //   8b0c81               | mov                 ecx, dword ptr [ecx + eax*4]
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   0fb744433a           | movzx               eax, word ptr [ebx + eax*2 + 0x3a]
            //   0fb60c07             | movzx               ecx, byte ptr [edi + eax]
            //   51                   | push                ecx

        $sequence_8 = { 57 6a01 8d4dd0 e8???????? e8???????? c3 6a6c }
            // n = 7, score = 100
            //   57                   | push                edi
            //   6a01                 | push                1
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   e8????????           |                     
            //   e8????????           |                     
            //   c3                   | ret                 
            //   6a6c                 | push                0x6c

        $sequence_9 = { ff5220 8b4d08 0fb7c0 50 6a01 e8???????? 8d4d0c }
            // n = 7, score = 100
            //   ff5220               | call                dword ptr [edx + 0x20]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   0fb7c0               | movzx               eax, ax
            //   50                   | push                eax
            //   6a01                 | push                1
            //   e8????????           |                     
            //   8d4d0c               | lea                 ecx, [ebp + 0xc]

    condition:
        7 of them and filesize < 892928
}
Download all Yara Rules