A 64-bit version of Havex, a remote access tool (RAT) used in cyber espionage campaigns aimed at industrial control systems (ICS), is now on the loose.
While researchers just found the 64-bit Havex, it has been around for quite some time, said Trend Micro officials.
In the campaign known as Dragonfly (Energetic Bear/Crouching Yeti), bad guys appeared to be using a 32-bit version of Havex since most of the systems they targeted ran the outdated Windows XP operating system. However, researchers at Trend Micro just found two Windows 7 infections that used a 64-bit version.
One of the files observed in the infection is TMPpovider023.dll (BKDR64_HAVEX.A), a component responsible for command and control (C&C) server instructions for downloading files and executing commands.
The “23” in the file name represents the version of Havex. The file in question initially compiled in October 2012 and ended up designed to run on 64-bit operating systems. In version 29 of the malware, the 64-bit file upgraded to a 32-bit Havex, experts said.
“The compile time of TMPprovider023.dll (v023) is earlier than any of the three other files, indicating that the 64-bit file pre-dates the other 32-bit files in this infection. In fact, standalone execution of the 32-bit module results to a file called TMPprovider029.dll, which definitely is v029 of the HAVEX RAT,” Trend Micro said in a blog post.
Versions 23 and 29 of Havex appear to use the same infrastructure since they both communicate with the same C&C server. Researchers said there are currently four IP addresses communicating with the C&C server.
In one of the infections spotted by Trend Micro, some of the malicious files, detected as BKDR_HAVEX.SM, ended up signed with a digital certificate in an effort to make them look like legitimate software. It looked as though IBM signed the digital certificate, but it ended up self-signed by the malware authors.
“While the HAVEX RAT has gone through several iterations — used in campaigns with ICS/SCADA and even pharmaceutical targets, nothing prevents it from being used again and again,” Trend Micro said. “ICS operators have to take note that the structure of the HAVEX binaries resemble much of what we see in common Windows malware — more so now that we’ve seen Windows 7 64-bit infections. It is thereby important to validate software being installed on endpoints within the environment, and to frequently monitor HTTP traffic.”
According to Germany’s Federal Office for Information Security (BSI), several German companies have been a target of the cyber espionage operation.