F-Secure researchers have, for a while now, been monitoring the spreading of the Havex malware family and have been trying to determine who are the attackers that wield it.
Initially spotted in 2013, the group’s attacks were directed towards the energy sector, but now they have turned their attention to Industrial Control Systems (ICS).
Havex – a relatively generic Remote Access Trojan (RAT) – gets delivered to victims via spam emails and exploit kits, but to maximize the likelihood that the right people would get infected, the attackers have also poisoned a few online watering holes.
The website in questions belong to three ICS vendors based in Germany, Switzerland and Belgium. “Two of them are suppliers of remote management software for ICS systems and the third develops high-precision industrial cameras and related software,” shared Daavid Hentunen, senior researcher at F-Secure.
The attackers have managed to compromise the websites by exploiting vulnerabilities in the software used to run them, and have exchanged legitimate software installers available for download to customers with trojanized versions that include the Havex RAT.
“The trojanized software installer will drop and execute [Havex] as a part of the normal installation. The user is left with a working system, but the attacker now has a backdoor to access and control the computer,” Hentunen explained.
F-Secure researchers have, so far, analyzed 88 variants of malware, and have discovered that it can also download and execute additional malicious components, one of which is set on exfiltrate data about the local network and ICS/SCADA hardware connected to it.
The researchers have discovered some 146 C&C servers directing the behavior of the malware, and these servers are usually compromised websites.
“The group doesn’t always manage the C&C’s in a professional manner, revealing lack of experience in operations. We managed to monitor infected computers connecting to the servers and identify victims from several industry sectors,” he noted.
“The majority of the victims are located in Europe, though at the time of writing at least one company in California was also observed sending data to the C&C servers. Of the European-based organizations, two are major educational institutions in France that are known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction company that appears to specialize in structural engineering.”