Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Havex Deep Dive (English)

Corey Thuen of Digital Bond Labs describes in technical detail how Havex/Dragonfly enumerated OPC servers.

Havex is the second ICS malware ever seen in the wild.

  • Be the first to comment

  • Be the first to like this

Havex Deep Dive (English)

  1. 1. Havex: A Deep Dive Corey Thuen Digital Bond Labs
  2. 2. Havex Overview
  3. 3. What is Havex? Crouching Yeti / Energetic Bear APT campaign Unknown origin Targets Industrial Control Systems
  4. 4. Havex Delivery Trojanized Software Installers Spear-phishing attacks Waterhole attacks No 0-day exploits
  5. 5. Havex Analysis Analysis was conducted against the Havex Remote Access Trojan (RAT) that appeared as a trojanized installer for mbconnect Analysis of Command & Control traffic requests Analysis of Downloadable Modules
  6. 6. Havex Analysis Command and Control Traffic
  7. 7. Havex Analysis Command and Control Server analysis C2 server not secured Directory browsing possible Fun but not our focus today
  8. 8. OPC Module Deep Dive
  9. 9. What is OPC? Common bridge for process control systems Uses Microsoft COM/DCOM Standard maintained by OPC Foundation consortium
  10. 10. Analysis Environment Challenges with ICS malware environments: ICS Equipment may not be virtualizable Debugging and monitoring may be difficult
  11. 11. OPC Environment Win2k8 - Matrikon OPC Simulator Server WinXPsp3 - Malware execution Win2k8 - Domain controller (to make DCOM easier)
  12. 12. OPC Environment
  13. 13. OPC Module Analysis
  14. 14. OPC Module Analysis Sample: Sha-1 6aca45bb78452cd78386b8fa78dbdf2dda7fba6cc06482251e2a6820849c9e82 md5 6bfc42f7cb1364ef0bfd749776ac6d38
  15. 15. Dynamic Analysis Regshot Sysinternals - Procmon DNS & Network Monitor VMWare + Snapshots
  16. 16. Dynamic Analysis - Regshot
  17. 17. Dynamic Analysis - Procmon
  18. 18. Static Analysis Strings CFF Explore IDA Pro Resource section analysis
  19. 19. Static Analysis - Strings
  20. 20. Static Analysis - CFF Explore
  21. 21. Static Analysis - IDA
  22. 22. Static Analysis - Resource Section Decryption & Analysis
  23. 23. OPC Module Code Flow
  24. 24. Code Flow - Decrypt Config File
  25. 25. Code Flow - Create tmp files
  26. 26. Code Flow - Create run log
  27. 27. Code Flow - Find Systems with DCOM
  28. 28. Code Flow - Find Systems with DCOM OPC uses DCOM for communication DCOM supports enumeration of connected systems Step 1 when wanting OPC data is to find available OPC Servers
  29. 29. Code Flow - Enumerate OPC Servers
  30. 30. Code Flow - Enumerate OPC Servers OPC servers have “tags” that are data points, controls, etc. OPC tag information is valuable to attackers Havex uses DCOM to get the list of tags on each OPC server to which it can connect
  31. 31. Code Flow - OPC Output Log
  32. 32. Code Flow - Pack it up for Havex RAT
  33. 33. Summary 1. Havex infects system 2. RAT downloads modules from C2 servers 3. OPC module scans for local OPC servers including tag lists 4. OPC information is packaged up and sent to C2
  34. 34. Conclusions • Havex is not attempting to hide • No new vulnerabilities or 0-days are used • OPC Information is collected and delivered to C2 • No control is attempted These modules are reconnaissance For who? For what purpose? Is there a specific target desired?
  35. 35. Questions? Corey Thuen thuen@digitalbond.com @CoreyThuen - Twitter plus.google.com/+CoreyThuen

    Be the first to comment

    Login to see the comments

Corey Thuen of Digital Bond Labs describes in technical detail how Havex/Dragonfly enumerated OPC servers. Havex is the second ICS malware ever seen in the wild.

Views

Total views

973

On Slideshare

0

From embeds

0

Number of embeds

178

Actions

Downloads

26

Shares

0

Comments

0

Likes

0

×