Security researchers have uncovered a new Stuxnet like malware, named as "Havex", which was used in a number of previous cyber attacks against organizations in the energy sector.
Just like Famous Stuxnet Worm, which was specially designed to sabotage the Iranian nuclear project, the new trojan Havex is also programmed to infect industrial control system softwares of SCADA and ICS systems, with the capability to possibly disable hydroelectric dams, overload nuclear power plants, and even can shut down a country's power grid with a single keystroke.
According to security firm F-Secure who first discovered it as Backdoor:W32/Havex.A., it is a generic remote access Trojan (RAT) and has recently been used to carry out industrial espionage against a number of companies in Europe that use or develop industrial applications and machines.
SMARTY PANTS, TROJANIZED INSTALLERS
To accomplish this, besides traditional infection methods such as exploit kits and spam emails, cybercriminals also used an another effective method to spread Havex RAT, i.e. hacking the websites of software companies and waiting for the targets to install trojanized versions of legitimate apps.
During installation, the trojanized software setup drops a file called "mbcheck.dll", which is actually Havex malware, that attackers are using as a backdoor. "The C&C server will [then] instruct infected computers to download and execute further components,"
"We gathered and analyzed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of 146 command and control (C&C) servers contacted by the variants, which in turn involved tracing around 1500 IP addresses in an attempt to identify victims." F-Secure said.
F-secure didn't mention the names of the affected vendors, but an industrial machine producer and two educational organizations in France, with companies in Germany were targeted.
INFORMATION GATHERING
Havex RAT is equipped with a new component, whose purpose is to gather network and connected devices information by leveraging the OPC (Open Platform Communications) standard.
OPC is a communications standard that allows interaction between Windows-based SCADA applications and process control hardware. The malware scans the local network for the devices that respond to OPC requests to gather information about industrial control devices and then sends that information back to its command-and-control (C&C) server.
Other than this, it also include information-harvesting tools that gather data from the infected systems, such as:
- Operating system related information
- A Credential-harvesting tool that stole passwords stored on open web browsers
- A component that communicates to different Command-&-Control servers using custom protocols and execute tertiary payloads in memory.
"So far, we have not seen any payloads that attempt to control the connected hardware." F-secure confirmed.
MOTIVATION?
While their motivation is unclear at this point, "We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations." F-Secure noticed.
HAVEX TROJAN FROM RUSSIANS ?
In January this year, Cybersecurity firm CrowdStrike revealed about a cyber espionage campaign, dubbed "Energetic Bear," where hackers possibly tied to Russian Federation penetrating the computer networks of energy companies in Europe, the United States and Asia.
According to CrowdStrike, the Malwares used in those cyber attacks were HAVEX RAT and SYSMain RAT, and possibly HAVEX RAT is itself a newer version of the SYSMain RAT, and both tools have been operated by the attackers since at least 2011.
That means, It is possible that Havex RAT could be somehow linked to Russian hackers or state-sponsored by Russian Government.