"Threat actors have leveraged Havex in attacks across the energy sector for over a year, but the full extent of industries and ICS systems affected by Havex is unknown," wrote the researchers from FireEye in a blog post. "We decided to examine the OPC scanning component of Havex more closely, to better understand what happens when it's executed and the possible implications."
"The scanner builds a list of all servers that are globally accessible through Windows networking," researchers wrote. "The list of servers is then checked to determine if any of them host an interface to the Component Object Models (COM)."
"This is the first "in the wild" sample using OPC scanning. It is possible that these attackers could have used this malware as a testing ground for future utilization, however," researchers wrote.