Havex: malware targeting industrial control devices

Havex: malware targeting industrial control devices

Over the past year, we have maintained a high degree of attention to the Havex malicious program family and the organizations behind it. Havex is considered to be a malware that targets different industries and is particularly interested in the energy industry in the initial report.

Havex mainly consists of Remote Access Trojan (RAT) and server programs written in PHP. You can see the name "Havex" in the server code.

In the spring of 2014, we found that Havex began to have a special interest in industrial control Systems (ICS). The organizations behind the malware used an innovative Trojan to reach their targets. The attacker first infected the software used on the website of ICS/SCADA manufacturer for users to download with the Trojan Horse virus. When users download and install the software, they can infect the target users.

We collected and analyzed 88 variants of Havex, mainly analyzed their access targets, where to collect data, networks and machines. This analysis found that Havex communication uses up to 146 C & C servers, and more than 1500 IP addresses communicate with the C & C server to identify the final victims.

Attackers use compromised websites and blogs as C & C servers. The following are some examples used for C & C servers.

We also discovered an additional function component that attackers can use to steal data from machines used in ICS/SCADA systems. This means that the attacker is not only interested in the target company's network, but also motivated to control these companies' ICS/SCADA systems. We are not quite clear about the reason for this.

Use the software installation package containing the trojan virus as the infected Medium

Havex RAT is spread through the following channels,

(1) spam (2) vulnerability exploitation tool (3) make the software installation package provided to the user include the Trojan on the master site of the compromised vendor

The use of spam and vulnerability tools is a simple communication mechanism. We will not conduct any in-depth analysis on this mechanism. The third method that deserves more attention can be seen as a Water-hole attack because the attacker chooses the ICS supplier as the intermediate target, to attack the final target.

Attackers intrude into the website by exploiting website vulnerabilities, and replace normal Installation Software for users to download with Installation Software containing Trojans.

Our researchers found that three vendors were attacked in this way, and HavexRAT was included in the software installation package provided on the website. We suspect there will be more similar cases, but we are not sure yet.

According to their website, these three companies are all developing industrial-oriented equipment and software based in Germany, Switzerland and Belgium. Two of the vendors provide remote management software for the ICS system, and the third is to develop high-precision industrial cameras and related software.

As an example, we can take a look at the dynamic analysis results when installing the installation package containing the Trojan Horse virus.

 

Normal installation programs do not contain the file "mbcheck. dll. This file is actually Havex malware. The installer containing the trojan virus will release and execute this file as part of the software installation process. In this way, attackers can use the next door to access and control users' work computers.

Target Organization

We can find some infected systems and track the IP addresses that communicate with the Havex RATC & C server based on the sample analysis report.

All infected entities are related to industrial applications or machines. Most victims are located in Europe, we found at least one company in California is sending data to the C & C server. Two of Europe's basic institutions are well-known French educational institutions that conduct technology-related research, two German industrial applications and machine manufacturers, A French industrial machine manufacturer also has a Russian construction company specialized in structural engineering.

ICS/SCADA sniffing

Havex sample code analysis shows that it contains sniffing behavior for ICS/SCADA. The C & C server instructs the infected computer to download and execute further components, one of which is interesting. When analyzing this component, we find that it will enumerate the LAN and look for connected resources and servers. The program called the Windows library function "WNetEnumResource", information about the function can be referred to: http://msdn.microsoft.com/zh-cn/library/aa918051)

Then we found that the program called Microsoft's COM object interface (CoInitializeEx, CoCreateInstanceEx) to connect to a specific service.

In order to confirm which service the sample code is interested in, we specially searched for the GUID value and found out which type of interface was called by searching the GUID value. Google knows the following:

9dd0b56c-ad9e-43ee-8305-440f3188bf7a = IID_IOPCServerList2

13486D51-4821-11D2-A494-3CB306C10000 = CLSID_OPCServerList

The program obtains the OPCServer program running on the machine by calling the IID_OPCServerList2 interface. Major industrial control manufacturers have developed their own OPCServer service programs, but all of them comply with the unified OPC standard. From an object-oriented perspective, all opcservers are derived from interfaces defined by the OPC Standard Foundation. OPCEnum.exe is mainly used to enumerate the OPCServer list. For example, if you want to install OPCServer from three automation vendors on one machine, you can call OPCEnum to obtain which OPCServer is installed on the machine and then interact with the OPCServer. From the perspective of this article, it seems that the Havex program only obtains the basic information of the OPCServer and does not deal with the OPCServer further. However, according to another analysis article,

• Havex is still dealing with OPCServer and gets more detailed information from the OPCServer .)

   

  Note that the name "OPCServer" has more instructions pointing to this word, and more OPC string keywords are found in the resources in the executable file.

  In fact, OPC refers to OLE for ProcessControl, which is a standard for interaction between Windows applications and process control hardware. Through OPC, malware can obtain more detailed information about the device and then send them to the C & C server for attacker analysis. It seems that this component is only a tool for attackers to collect intelligence. So far, we have not found any attempt to control the PayLoad of hardware connected to the control system.

  In-depth explanation

  Havex consists of two main components: the download tool and the OPC intelligence collection module. For more information about the analyzer, see this article: http://blog.fortinet.com/Evolving-History-of-Havex-Module-Downloader/

  In the test environment, first install two opcservers on other machines in the LAN, as shown in. the malware successfully obtained the intelligence of the two opcservers, the PC name for installing OPCServer is R3P-PC, and the installed OPCServer is the OPCServer AD and AE of ICONICS)

  The collected information is compressed in bzip format, encrypted using RSAEuro, and finally saved as a. yls file, which is placed in the temporary folder of the machine.

  In our current test environment, this. yls file is not sent back to the attacker. From the txt files generated later, these files must have been transmitted back to the C & C server)

  The other two files are created separately, namely opcserver1.txtand opcserver2.txt. Each file records the specific information of an OPCServer.

  For example, the file records more detailed information in OPCServer, including group information, Tag names, and types in OPCServer. In fact, people engaged in industrial control can infer the scale of the factory by the number of tags. In addition, some tags may be very sensitive, if this data value is forcibly modified, it may have very serious consequences for the operation of the control system. In addition, some manufacturers of OPCServer may have vulnerabilities, through the official announcement of the ICS-CERT to know, the use of these known, unknown vulnerabilities can further intrude into the OPCServer, in this way, the core part of the control system will become closer and closer .)

  VcmlnaW5hbD0 = "http://www.bkjia.com/uploads/allimg/140723/2049524H2-8.png! Small "jquery17208826459156648381 =" 2259 "loaded =" true "src =" http://www.bkjia.com/uploads/allimg/140723/2049524H2-8.png "title =" Havex_TagCollection.png "/>

   

  Summary

  The attackers behind Havex used a clever method to conduct industrial espionage. inserting Trojans into the ICS/SCADA software installation package is an effective method to access the target system, it can even intrude into key technical facilities.

  The OPC protocol is mainly used in the process industry, such as the petroleum and petrochemical industry. Why does Havex target the energy industry, this Protocol is mainly used to access process data, which is the scope of process control. Havex may be mainly used to steal data intelligence. For example, the OPC layer-by-layer intrusion may finally steal the control scheme or formula in process control, such as the formula in the refinery or in the pharmaceutical factory. Stunex is mainly used for factory control like PLC. The protocol involved may be Modbus, Profibus, etc., which is mainly used to control the underlying terminal of the control system. For example, the switch of the valve, the start and stop of the motor, and the forward and reverse of the motor .)