The remote access tool (RAT) HAVEX became the focus of the security industry after it was discovered to have played a major role in a campaign targeting industrial control systems (ICS). While observing HAVEX detections (known by different vendors as Dragonfly, Energetic Bear, and Crouching Yeti), we noticed something interesting.
The Dragonfly campaign was previously believed to be compatible with only for 32-bit versions as most mission critical systems would most likely Windows XP, which has since been listed as end of support. In contrast, we came across two interesting infections running on Windows 7 systems.
First 64-bit HAVEX Sighting
Based on our analysis (seen in the chain below), a file called TMPpovider023.dll, detected as BKDR64_HAVEX.A,was found, which creates several files in the file system. It should be noted that TMPprovider0<2-digit version number>.dll is a known indicator of HAVEX and is the component of this threat that interacts with the command-and-control (C&C) servers to perform downloads or receive execution commands associated with it.
Figure 1. File installation chain
This is interesting because we’re seeing three indicators of BKDR_HAVEX:
- The file TMPProvider023.dll, as indicated above, with the number indicating the version of this HAVEX RAT (v023)
- A dropped file named 34CD.tmp.dll, detected as BKDR_HAVEX.SM. At this point, the file is being repeatedly detected and quarantined by the installed Trend Micro product. This was later found out to be version 29 or v029 of HAVEX.
- C&C communication from the host and back
Figure 2. The dropped file detected as BKDR_HAVEX.SM
A Closer Look at the First 64-bit HAVEX Sighting
To better understand how these two files (TMPProvider023.dll and 34CD.tmp.dll) work, we need to determine the other files that were related to the infection chain. With this, we noticed two other dropped files.
The first file, 734.tmp.dll and detected as BKDR_HAVEX.C, is responsible for creating the registry key and entry, which is queried by the “main” HAVEX file:
HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\Options
b = <data>
Compared to newer HAVEX versions (>= version 038), this version required another loader as seen below.
Figure 3. The dropped file 734.tmp.dll
The second file, 4F2.tmp.dll and also detected as BKDR_HAVEX.C, proved to be more interesting. Since technically there were two versions of the HAVEX RAT residing on one machine, it’s now a question if v029 is “backward compatible” with v023.
4F2.tmp.dll purges the file system of the following:
| File | Registry |
| %TEMP%\*.yls%TEMP%\*.xmd%TEMP%\qln.dbx | HKCU\Software\Mirosoft\Internet Explorer\InternetRegistry\Options |
Figure 4. Pseudo code representing the deletion of files (top) and registry key (bottom)
We can therefore see how v023, previously a 64-bit file, was upgraded to a 32-bit v029 HAVEX RAT. This now brings us to four files that seem to be interrelated in one single infection, as seen below:
| File name | SHA1 | Compile Date | Architecture |
| %TEMP%\TMPprovider023.dll | 997C0EDC9E8E67FA0C0BC88D6FDEA512DD8F7277 | 2012-10-03 | AMD64 |
| %TEMP%\34CD.tmp.dll | CF5755D167077C1F8DEEDDEAFEBEA0982BEED718 | 2013-04-30 | I386 |
| %TEMP%\734.tmp.dll | BFDDB455643675B1943D4E33805D6FD6884D592F | 2013-08-16 | I386 |
| %TEMP%\4F2.tmp.dll | 8B634C47087CF3F268AB7EBFB6F7FBCFE77D1007 | 2013-06-27 | I386 |
The compile time of TMPprovider023.dll (v023) is earlier than any of the three other files, indicating that the 64-bit file pre-dates the other 32-bit files in this infection. In fact, standalone execution of the 32-bit module results to a file called TMPprovider029.dll, which definitely is v029 of the HAVEX RAT.
Network Analysis
Two different HTTP POST requests were seen on the endpoint.
For the 32-bit “main” v029 HAVEX file, 34cd.tmp.dll, the format of the command-and-control query string resembles something similar to:
- hxxp://<C&C location>/path/to/php-script/php-php?id=<victim_ID>&v1=<HAVEX_version>&v2=<OS_version>&q=<command>
On the other hand, the query string for the 64-bit “main” v023 HAVEX file, TMPprovider023.dll, appears different:
- hxxp://<C&C location>/path/to/php-script/php-script.php?id=[20 numeric characters][10 numeric characters][6 alphanumeric characters]-[2 numeric characters]-[3 digit number]-[9 numeric characters]
The last two combinations ([3-digit number]-[9 numeric characters]) are always found in the string. The 3-digit number combination is most likely the version of the malware. It’s possible that the remaining nine digits represent the campaign ID.
The ID is generated randomly and is written in the following registry entry:
- HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\fertger={malware ID}
In this particular infection, the v023 HAVEX file was using the same command-and-control server as that of the v029 HAVEX file. This tells us that the infrastructure between HAVEX versions (at least between v023 and 029) could have been shared.
Currently, we have seen at least four IP addresses communicating to the command-and-control server, two of which have exhibited the behavior of upgrading the version of the C&C module of the HAVEX RAT.
Another Infection: HAVEX Binary Attempts to Appear Digitally Signed
In the second infection, a file, NSDS.dll, was dropped in %APPDATA%, triggering a BKDR_HAVEX.SM infection – one which has a digital signature. Signing of malware code has increased in the past years and malware authors often seek keys that allow file signing to make malicious files appear as legitimate software.
This particular component had four files that mimicked an IBM-signed file – despite being obvious that the digital certificate was self-signed:
Figure 5. Fake digital certificate “signed” by IBM
Properly signed files should come with a trusted certificate authority to validate the issued digital certificate, but these files had none. While we are unable to determine which software package had these files at this point in time, what’s interesting is that there are three other files that bear a similar digital signature as the one seen above. All these files are detected as BKDR_HAVEX.SM.
| File hash | File Size | Compile Date |
| *bb59cc5e0040ede227332e7da1942264cd75ec4c | 133,152 bytes | 2013-03-21 |
| 80caa936528ceefcb614ae175bda2a27609a5dd3 | 133,152 bytes | 2013-04-08 |
| 49b109d94602195fe5705a9b5f7b5ddd59477015 | 133,152 bytes | 2013-04-23 |
| 361c0a4f8213693e974b6ae55bf0ad16c74adf61 | 133,152 bytes | 2013-06-11 |
* spotted file in the recent infection
The Reuse of Malware
While the HAVEX RAT has gone through several iterations—used in campaigns with ICS/SCADA and even pharmaceutical targets, nothing prevents it from being used again and again. ICS operators have to take note that the structure of the HAVEX binaries resemble much of what we see in common Windows malware – more so now that we’ve seen Windows 7 64-bit infections. It is thereby important to validate software being installed on endpoints within the environment, and to frequently monitor HTTP traffic.
Trend Micro blocks and detects all indicators above. You can read more about threats to the ICS environment in two Trend Micro research papers, “Who’s Really Attacking Your ICS Equipment?” and “The SCADA That Cried Wolf.”
With additional analysis from Abraham Camba.
Hashes of related files:
- 997C0EDC9E8E67FA0C0BC88D6FDEA512DD8F7277
- CF5755D167077C1F8DEEDDEAFEBEA0982BEED718
- BFDDB455643675B1943D4E33805D6FD6884D592F
- 8B634C47087CF3F268AB7EBFB6F7FBCFE77D1007
- bb59cc5e0040ede227332e7da1942264cd75ec4c
'malware ' 카테고리의 다른 글
| Ntpdc Local Buffer Overflow (0) | 2015.01.13 |
|---|---|
| Repackaging HTML5 Apps into Android Malware (0) | 2014.12.31 |
| Facebook Users Targeted By Android Same Origin Policy Exploit (0) | 2014.12.29 |
| Patches Not Cure-all for Shellshock (0) | 2014.12.24 |
| Bash Vulnerability (Shellshock) Exploit Emerges in the Wild, Leads to BASHLITE Malware (0) | 2014.12.24 |