Havex: Interesting in a Different Way

This entry was posted by on .

Lot’s of news recently about a resurgence of the Havex malware.  Here’s why (and why you should care)

‘Old’ Attack Vectors

There are a number of tried and true ways to get malware onto a target system, most common is via email.  The attacker sends an email to the target with a file and hopes the target opens that attachment.  There are a few tricks to this:
Email Attachment
  1. Hope the target environment doesn’t block your attachment
  2. Because of point 1, attacker has to use malware embedded in a common file format, such as pdf/doc/xls
  3. Reliability of the malware reduces (as a result of point 2)
Attacker Used Spam!  It's Not Very Effective

Attacker Used Spam! It’s Not Very Effective

An alternate to plain attachment vectors is to insert a web link that sends the target to a malware infested domain.  A bit more sophisticated, this domain can now collect browser/system information and craft the malware page accordingly.  Attacker still has to rely on the target:
Link to Malware Site
  1. Receive the email
  2. Recognize it’s not spam
  3. Click the link
  4. Interact with popups/alert boxes in order to install the malware
But where the new Havex takes it up a notch:  Water-Hole vector.

‘New’ Attack Vector

Here the attacker does some reconnaissance on the target environment.  Say you want to infect a US electric utility and gain intelligence or control of the SCADA network.  Fire up google, search that utility for:
  1. Recent press releases to determine which vendors the SCADA system uses
  2. Search utilities social media (instagram, facebook, twitter, etc) to see equipment images
  3. Search through the utilities state Public Utilities Commission (or similar) for past/current projects that often times include vendor/equipment data.
Once an applicable set of vendors is determined, the attacker now selects a vendor target.  Using traditional web hacking methods, the attacker now replaces authentic firmware, patches and management software files with similar versions containing the malware.
Spot the Malware

Spot the Malware

The target then goes to their vendor support site (or any other trusted site) to download the file.  Confidence is high because of the trusted source and the target installs the program without hesitation.  This method is a bit slower if not prompted, but an easy addition to the attackers arsenal would be to send a crafted email to the target (notification/alert) announcing a new patch/firmware for their system.  No linking or attachments necessary (remember, we’ve been training users for years now to not trust email), so the target goes to target_vendor.com where the attacker’s malware sits waiting.
It would stand to reason that the larger the vendor the harder it to compromise the support site.  In the Havex example, a group of 3-5 small control systems vendors where compromised.  Speculation is that the new incident was merely a test run for larger operations, but time will tell.
More importantly the new Havex malware (and all the fancy names given: dragonfly, energetic bear, etc) brings to the forefront some key takeaways:
  1. Control systems are targets
  2. Attackers are willing to update malware
  3. Attackers are using more sophisticated/complex vectors in order to maximize potential
More details about Havex coming soon.