SYMBOLCOMMON_NAMEaka. SYNONYMS
win.havex_rat (Back to overview)

Havex RAT

Actor(s): Energetic Bear


Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as "Dragonfly" and "Energetic Bear". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.

Once installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.

Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.

References
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-04Stranded on Pylos BlogJoe Slowik
@online{slowik:20201104:enigmatic:c2d7b4e, author = {Joe Slowik}, title = {{The Enigmatic Energetic Bear}}, date = {2020-11-04}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/}, language = {English}, urldate = {2020-11-06} } The Enigmatic Energetic Bear
EternalPetya Havex RAT
2020SecurityWeekSecureWorks
@online{secureworks:2020:iron:fc4ff3c, author = {SecureWorks}, title = {{IRON LIBERTY}}, date = {2020}, organization = {SecurityWeek}, url = {https://www.secureworks.com/research/threat-profiles/iron-liberty}, language = {English}, urldate = {2020-05-23} } IRON LIBERTY
Havex RAT Karagany
2014-06-23F-SecureDaavid
@online{daavid:20140623:havex:21f2ca4, author = {Daavid}, title = {{Havex Hunts For ICS/SCADA Systems}}, date = {2014-06-23}, organization = {F-Secure}, url = {https://www.f-secure.com/weblog/archives/00002718.html}, language = {English}, urldate = {2020-01-09} } Havex Hunts For ICS/SCADA Systems
Havex RAT
Yara Rules
[TLP:WHITE] win_havex_rat_auto (20210616 | Detects win.havex_rat.)
rule win_havex_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.havex_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c404 385c2417 0f852d020000 33c9 c78424e800000007000000 899c24e4000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   385c2417             | cmp                 byte ptr [esp + 0x17], bl
            //   0f852d020000         | jne                 0x233
            //   33c9                 | xor                 ecx, ecx
            //   c78424e800000007000000     | mov    dword ptr [esp + 0xe8], 7
            //   899c24e4000000       | mov                 dword ptr [esp + 0xe4], ebx

        $sequence_1 = { 894b3c 898340040000 8b0d???????? 894b14 ff4b14 8b4b14 33d2 }
            // n = 7, score = 100
            //   894b3c               | mov                 dword ptr [ebx + 0x3c], ecx
            //   898340040000         | mov                 dword ptr [ebx + 0x440], eax
            //   8b0d????????         |                     
            //   894b14               | mov                 dword ptr [ebx + 0x14], ecx
            //   ff4b14               | dec                 dword ptr [ebx + 0x14]
            //   8b4b14               | mov                 ecx, dword ptr [ebx + 0x14]
            //   33d2                 | xor                 edx, edx

        $sequence_2 = { 59 8d4d08 8bf8 e8???????? 8b07 6a20 8bcf }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   8d4d08               | lea                 ecx, dword ptr [ebp + 8]
            //   8bf8                 | mov                 edi, eax
            //   e8????????           |                     
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   6a20                 | push                0x20
            //   8bcf                 | mov                 ecx, edi

        $sequence_3 = { e8???????? 83c40c 8b45f8 03c0 3b4510 8945f8 7f0a }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   03c0                 | add                 eax, eax
            //   3b4510               | cmp                 eax, dword ptr [ebp + 0x10]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   7f0a                 | jg                  0xc

        $sequence_4 = { 72f4 8a440de4 41 84c0 752c }
            // n = 5, score = 100
            //   72f4                 | jb                  0xfffffff6
            //   8a440de4             | mov                 al, byte ptr [ebp + ecx - 0x1c]
            //   41                   | inc                 ecx
            //   84c0                 | test                al, al
            //   752c                 | jne                 0x2e

        $sequence_5 = { 8b4de0 3bcf 7405 e8???????? 57 56 }
            // n = 6, score = 100
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   3bcf                 | cmp                 ecx, edi
            //   7405                 | je                  7
            //   e8????????           |                     
            //   57                   | push                edi
            //   56                   | push                esi

        $sequence_6 = { 8b4c241c 8b4710 8d5908 89442410 3bd8 741f }
            // n = 6, score = 100
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   8b4710               | mov                 eax, dword ptr [edi + 0x10]
            //   8d5908               | lea                 ebx, dword ptr [ecx + 8]
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   3bd8                 | cmp                 ebx, eax
            //   741f                 | je                  0x21

        $sequence_7 = { 68???????? e8???????? ff7598 8d7770 }
            // n = 4, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   ff7598               | push                dword ptr [ebp - 0x68]
            //   8d7770               | lea                 esi, dword ptr [edi + 0x70]

        $sequence_8 = { 895d08 50 8d7dec 8d5df4 e8???????? 8b08 }
            // n = 6, score = 100
            //   895d08               | mov                 dword ptr [ebp + 8], ebx
            //   50                   | push                eax
            //   8d7dec               | lea                 edi, dword ptr [ebp - 0x14]
            //   8d5df4               | lea                 ebx, dword ptr [ebp - 0xc]
            //   e8????????           |                     
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_9 = { 68???????? 8d4dd8 e8???????? 8365fc00 50 8d4db0 e8???????? }
            // n = 7, score = 100
            //   68????????           |                     
            //   8d4dd8               | lea                 ecx, dword ptr [ebp - 0x28]
            //   e8????????           |                     
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   50                   | push                eax
            //   8d4db0               | lea                 ecx, dword ptr [ebp - 0x50]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 892928
}
Download all Yara Rules