Havex Malware Analysis and Inside Malware C&C Server
In this article I'll analyze recent Havex malware. You can read more about this malware here.
First of all I want to thank Kyle Wilhoit for providing me all samples of Havex malware.
Ok, let's start... As far as I've seen all samples of this malware have a resource called ICT (in SCADA module it is called TYU) which contains encoded config file:
As there is several samples of this malware, for automation purposes I wrote a small python script which decodes Havex config file:
import sys import bz2 from StringIO import StringIO def XORSTR(Data, key): old = StringIO(Data) new = StringIO(Data) for position in xrange(len(Data)): bias = ord(key[position % len(key)]) old_char = ord(old.read(1)) new_char = chr(old_char ^ bias) new.seek(position) new.write(new_char) new.seek(0) return new.read() if len(sys.argv) != 2: print "Please provide Havex malware file as parameter" exit with open(sys.argv, mode='rb') as file: HavexData = file.read() vStart = HavexData.index('BZh91AY') vEnd = HavexData.index('
As you can see, 4th line in config file have "havex" string, now you know why it is called Havex.
This malware is written in C++ and compiled using Visual Studio 2008.
As I was investigating config files, I've detected that only one C&C server related to Havex is still alive, which is:
Gigfa is an Iranian free hosting website, they are using this server as C&C. It seems malware authors are not good in securing their own C&C servers, so I was able to see their files:
I downloaded all of their files, it seems their first activity started in this server at "22-Aug-2013 14:49" (possibly in Tehran time).
It seems they are still pretty active as their last config file have been updated 19 Aug 2014.
It seems they are also up to some automation in hacking, for example one of the files in server called phpsystemREQUESTcmd.ans and have a URL encoded string, after decoding, you'll get:
which simply will run anything passed to PHP as "cmd" parameter in server.
Another interesting point was mta files, for example there is a file called: mta.f99617eafae946c4a82cd4940ac14e1b.php which has been modified/uploaded just today ("19-Aug-2014 08:20"), this file is base64 encoded, after decoding it, you'll get bzip2 compressed file, after decompressing you'll get an encrypted file. I XORed it with same key ("1312312") and I got BA8DA708B8784AFD36C44BB5F1F436BC malware sample.
This sample, instead of having regular config file, it does have an RSA-1024 key, base64 encoded:
AATGeSxyP/0X6yIkMa1UYwI3RaHfJ5N0ImjLGCaoVf5l/8egolU08E4mHbOrNARt smDGI+xVDY/7/llthOrQA3ffIw0WMSuR6t3MTgUIXzuZQE3SjzL+ab6VqvadRXCU +dCgf2iwaBe988B+YKNaOmV6+MMQg889tjzMXdEnGYtkKQAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB0
One significant thing in this sample (BA8DA708B8784AFD36C44BB5F1F436BC) is this one scans for SCADA servers:
It uses OPC (OLE for Process Control) to scan and discover SCADA devices. Overall, I should say:
- This malware doesn't have any type of protection/encryption/obfuscation
- No any advanced hiding techniques, no exploits, no complexity at all
- Even method it uses to discover SCADA devices is just mostly copy/paste and uses 3rd party libraries. Also it uses RSAEURO library and they used it as it is, without any modification, even you can see "Copyright (c) J.S.A.Kapp 94-96." text clearly inside malware sample, which is taken from here.
- Too much typos and grammar mistakes
- Insecure C&C server
There wasn't any other important thing I should mention, rest of it mostly covered in other articles and it doesn't have anything special to talk about. Most of samples from Haves, simply just uses "[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]" as startup point. Simply deleting entry from registry and rebooting computer would stop malware.
Also it seems they've infected installer files of several SCADA related softwares such as libMesaSR, eCatcher (from eWON), mbCHECK (by MB Connect Line). All other exploits they've used are from 2012 (PDF and Java exploits), so they are not really important to talk about.