During the past year, F-Secure have been keeping a close eye on the Havex malware family and the group behind it. Havex is known to be used in targeted attacks against different industry sectors, and it was seen to have specific interest in the energy sector.
The main components of Havex are a general purpose Remote Access Trojan (RAT) and a server written in PHP.
F-Secure’s research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. Based on the content of their websites, all three companies are involved in development of applications and appliances for use in industrial applications. These organisations are based in Germany, Switzerland and Belgium. Two of them are suppliers of remote management software for ICS systems and the third develops cameras and related software.
During the spring of 2014, F-Secure noticed that Havex took a specific interest in Industrial Control Systems (ICS) and the group behind it uses an innovative trojan horse approach to compromise victims. The attackers have trojanized software available for download at ICS manufacturer websites in an attempt to infect computers connected to ICS environments.
F-Secure gathered and analyzed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of 146 command and control (C&C) servers contacted by the variants, which in turn involved tracing around 1500 IP addresses in an attempt to identify victims.
The attackers use compromised websites, mainly blogs, as C&C servers.
An additional component used by the attackers also included code that allows it to harvest data from infected machines used in Industrial Control Systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS systems in those organizations.