Havex RAT Description
The Havex RAT is a Remote Access Trojan that is part of the toolkit of a Russian, state-sponsored hacker group called Energetic Bear or Dragonfly. At the time of its discovery, the Havex RAT was among the five malware threats developed to specifically target Industrial Control Systems for data exfiltration. The victims of Havex were mainly from the US and Europe and belonged to a specific subset of industries - energy, aviation, pharmaceutical, defense and petrochemical sectors.
Once deployed onto the targeted system, Havex initiates a scan by abusing the OPC (Open Platform Communications) protocol to map out the victim's industrial network. It should be noted that the OPC scanning module of Havex only works on the old DCOM-based (Distributed Component Object Model) OPC standard. The threat collects all of the information it is programmed to exfiltrate and send it over to the hacker's Command-and-Control (C2, C&C) infrastructure that was hosted on compromised websites. Havex also can perform the functions of a typical backdoor threat, such as the delivery of additional malware payloads. Havex was observed to drop the more potent info-colletor Karagany that is capable of credential theft, take screenshots and transfer files.
Legitimate Sites Hacked to Distribute Havex
Multiple attack vectors were involved in the campaign that distributed Havex. The hackers deployed spear-phishing emails carrying weaponized attachments, but they also compromised legitimate websites and abused them. First, they could force these vendor websites to redirect all unsuspecting victims to corrupted pages that deliver Havex. The second tactic was far more sinister as the hackers injected Havex into the legitimate software offered by the compromised vendor websites. This method has the benefit of bypassing certain anti-malware measures as the users authorize the downloads specifically, thinking that they are getting the genuine application they desired. Among the compromised vendors were MESA Imaging, eWON/Talk2M and MB Connect Line.