The HAVEX malware is not new, but it has targeted the energy sector since at least August 2012. Originally, HAVEX was distributed via spam email or spear-phishing attacks.45 This new version of HAVEX appears to have been designed as a Trojan horse specifically to infiltrate and modify "legitimate" software from ICS and SCADA suppliers, adding an instruction to run code (i.e., the "mbcheck.dll" file) containing the HAVEX malware.46
In the instance discovered, HAVEX malware was used as a remote access tool (RAT) to extract data from Outlook address books and ICS-related software files used for remote access from the infected computer to other industrial servers.47 The cyberattack leaves the company's system in what appears to be a normal operating condition, but the attacker now has a backdoor to access and possibly control the company's ICS or SCADA operations.
- Email Campaign: Executives and senior employees were targeted with malicious PDF attachments in February-June 2013.
- Watering Hole Attack: Websites likely to be visited by people working in the energy sector were infected such that they redirected the site visitor to another compromised legitimate website hosting an exploit kit. The exploit kit then installs the RAT. This method of distribution began in June 2013.
- Software Downloaded from ICS-Related Vendors: At least three ICS vendors' software downloads were hacked so that they included the RAT malware.48
HAVEX is also called “Backdoor.Oldrea” (or the “Energetic Bear RAT”), as it contains the malware known as “Kragany” or “Trojan.Kragany.” HAVEX is a product of the Dragonfly group (aka Energetic Bear), which appears to be a “state-sponsored”49 undertaking focused on espionage with sabotage as a “definite secondary capability.”50 The malware allows attackers to upload and download files from the infected computer and run executable files. It was also reported to be capable of collecting passwords, taking screenshots and cataloguing documents.51