HAVEX Malware is on the Hunt for ICS & SCADA Systems

Researchers at F-Secure as well as individual malware hunters on Pastbin and other forums have noticed a targeting trend in the HAVEX family of malware. Sometime earlier this year the actors behind a HAVEX strain decided to target Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems mainly in Europe with at least one company in the U.S. It appears that hostile actors have been able to compromised ICS/SCADA company websites and replace ICS/SCADA software downloads with versions that contain malicious code.

It is a standard practice to post file checksum to allow for the independent verification of a downloaded file. It would stand to reason that if hostile actors are able to replace a downloadable file on a vendor web site then changing the posted checksum is also possible. This verification system has always been considered only as reliable as the security of the web site (or the connection – it is possible to Man-in-the-Middle a connection and push a malicious file with a forged checksum).

This variant of the HAVEX malware is designed to deploy a Remote Access Tool (RAT) then start stealing data from infected machines. Researchers have confirmed three attack vectors SPAM email, other exploit kits (i.e. ZEUS ), and most concerning through trojanized vendor software hosted on vendor websites.

The variant of the HAVEX malware that was analyzed by F-Secure included a dynamic link library or dll called “mbcheck.dll” This has been identified as the HAVEX malware. Once this .dll file is ran and the system is infected it contacts a Command and Control (C&C) server to download specific software for this attack. The local network is scanned to specifically look for ICS/SCADA devices using the OLE for Process Control (OPC) protocol. OPC is one way Windows based devices communicate with ICS/SCADA systems. F-Secure has not seen any of the hostile code attempting to control any ICS/SCADA devices.

News broke earlier this month about hackers in China, Russia, and Iran are all looking for “security weaknesses that could be employed to disrupt the delivery of water and electricity and impede other functions critical to the economy,” according to U.S. Government sources. If this is true then the research team at F-Secure may have just uncovered yet another cyber weapon being used in a war that most have no clue is being waged.

Full text of the F-Secure analysis is available at: http://www.f-secure.com/weblog/archives/00002718.html
or through Google search of “Havex Hunts for ICS/SCADA Systems”

Credit to @anttitikkanen and @daavidhentunen for their hard work dissecting HAVEX

Post by Protocol 46