The remote access tool (RAT) HAVEX became the focus of the security industry after it was discovered to have played a major role in a campaign targeting industrial control systems (ICS). While observing HAVEX detections (known by different vendors as Dragonfly, Energetic Bear, and Crouching Yeti), we noticed something interesting.

The Dragonfly campaign was previously believed to be compatible with only for 32-bit versions as most mission critical systems would most likely Windows XP, which has since been listed as end of support. In contrast, we came across two interesting infections running on Windows 7 systems.

First 64-bit HAVEX Sighting

Based on our analysis (seen in the chain below), a file called TMPpovider023.dll, detected as BKDR64_HAVEX.A, was found, which creates several files in the file system. It should be noted that TMPprovider0<2-digit version number>.dll is a known indicator of HAVEX and is the component of this threat that interacts with the command-and-control (C&C) servers to perform downloads or receive execution commands associated with it.

Figure 1. File installation chain

This is interesting because we’re seeing three indicators of BKDR_HAVEX:

The file TMPProvider023.dll, as indicated above, with the number indicating the version of this HAVEX RAT (v023)

A dropped file named 34CD.tmp.dll, detected as BKDR_HAVEX.SM. At this point, the file is being repeatedly detected and quarantined by the installed Trend Micro product. This was later found out to be version 29 or v029 of HAVEX.

C&C communication from the host and back



Figure 2. The dropped file detected as BKDR_HAVEX.SM

A Closer Look at the First 64-bit HAVEX Sighting

To better understand how these two files (TMPProvider023.dll and 34CD.tmp.dll) work, we need to determine the other files that were related to the infection chain. With this, we noticed two other dropped files.

The first file, 734.tmp.dll and detected as BKDR_HAVEX.C, is responsible for creating the registry key and entry, which is queried by the “main” HAVEX file:

HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\Options b = <data>

Compared to newer HAVEX versions (>= version 038), this version required another loader as seen below.



Figure 3. The dropped file 734.tmp.dll

The second file, 4F2.tmp.dll and also detected as BKDR_HAVEX.C, proved to be more interesting. Since technically there were two versions of the HAVEX RAT residing on one machine, it’s now a question if v029 is “backward compatible” with v023.

4F2.tmp.dll purges the file system of the following:

File Registry %TEMP%\*.yls%TEMP%\*.xmd%TEMP%\qln.dbx HKCU\Software\Mirosoft\Internet Explorer\InternetRegistry\Options



Figure 4. Pseudo code representing the deletion of files (top) and registry key (bottom)

We can therefore see how v023, previously a 64-bit file, was upgraded to a 32-bit v029 HAVEX RAT. This now brings us to four files that seem to be interrelated in one single infection, as seen below:

File name SHA1 Compile Date Architecture %TEMP%\TMPprovider023.dll 997C0EDC9E8E67FA0C0BC88D6FDEA512DD8F7277 2012-10-03 AMD64 %TEMP%\34CD.tmp.dll CF5755D167077C1F8DEEDDEAFEBEA0982BEED718 2013-04-30 I386 %TEMP%\734.tmp.dll BFDDB455643675B1943D4E33805D6FD6884D592F 2013-08-16 I386 %TEMP%\4F2.tmp.dll 8B634C47087CF3F268AB7EBFB6F7FBCFE77D1007 2013-06-27 I386

The compile time of TMPprovider023.dll (v023) is earlier than any of the three other files, indicating that the 64-bit file pre-dates the other 32-bit files in this infection. In fact, standalone execution of the 32-bit module results to a file called TMPprovider029.dll, which definitely is v029 of the HAVEX RAT.

Network Analysis

Two different HTTP POST requests were seen on the endpoint.

For the 32-bit “main” v029 HAVEX file, 34cd.tmp.dll, the format of the command-and-control query string resembles something similar to:

hxxp://<C&C location>/path/to/php-script/php-php?id=<victim_ID>&v1=<HAVEX_version>&v2=<OS_version>&q=<command>

On the other hand, the query string for the 64-bit “main” v023 HAVEX file, TMPprovider023.dll, appears different:

hxxp://<C&C location>/path/to/php-script/php-script.php?id=[20 numeric characters][10 numeric characters][6 alphanumeric characters]-[2 numeric characters]-[3 digit number]-[9 numeric characters]

The last two combinations ([3-digit number]-[9 numeric characters]) are always found in the string. The 3-digit number combination is most likely the version of the malware. It’s possible that the remaining nine digits represent the campaign ID.

The ID is generated randomly and is written in the following registry entry:

HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\fertger={malware ID}

In this particular infection, the v023 HAVEX file was using the same command-and-control server as that of the v029 HAVEX file. This tells us that the infrastructure between HAVEX versions (at least between v023 and 029) could have been shared.

Currently, we have seen at least four IP addresses communicating to the command-and-control server, two of which have exhibited the behavior of upgrading the version of the C&C module of the HAVEX RAT.

Another Infection: HAVEX Binary Attempts to Appear Digitally Signed

In the second infection, a file, NSDS.dll, was dropped in %APPDATA%, triggering a BKDR_HAVEX.SM infection – one which has a digital signature. Signing of malware code has increased in the past years and malware authors often seek keys that allow file signing to make malicious files appear as legitimate software.

This particular component had four files that mimicked an IBM-signed file – despite being obvious that the digital certificate was self-signed:



Figure 5. Fake digital certificate “signed” by IBM

Properly signed files should come with a trusted certificate authority to validate the issued digital certificate, but these files had none. While we are unable to determine which software package had these files at this point in time, what’s interesting is that there are three other files that bear a similar digital signature as the one seen above. All these files are detected as BKDR_HAVEX.SM.

File hash File Size Compile Date *bb59cc5e0040ede227332e7da1942264cd75ec4c 133,152 bytes 2013-03-21 80caa936528ceefcb614ae175bda2a27609a5dd3 133,152 bytes 2013-04-08 49b109d94602195fe5705a9b5f7b5ddd59477015 133,152 bytes 2013-04-23 361c0a4f8213693e974b6ae55bf0ad16c74adf61 133,152 bytes 2013-06-11

* spotted file in the recent infection

The Reuse of Malware

While the HAVEX RAT has gone through several iterations—used in campaigns with ICS/SCADA and even pharmaceutical targets, nothing prevents it from being used again and again. ICS operators have to take note that the structure of the HAVEX binaries resemble much of what we see in common Windows malware – more so now that we’ve seen Windows 7 64-bit infections. It is thereby important to validate software being installed on endpoints within the environment, and to frequently monitor HTTP traffic.

Trend Micro blocks and detects all indicators above. You can read more about threats to the ICS environment in two Trend Micro research papers, “Who’s Really Attacking Your ICS Equipment?” and “The SCADA That Cried Wolf.”

With additional analysis from Abraham Camba.

Hashes of related files: