Malware Analysis from ICS-CERT

Wednesday, July 2, 2014 @ 09:07 AM gHale

In a continuing effort to understand a malware campaign, ICS-CERT is analyzing an industrial control system (ICS) focused attack, dubbed Dragonfly, that uses multiple vectors for infection.

These attacks include phishing emails, redirections to compromised web sites and most recently, Trojanized update installers on at least three ICSs vendor web sites, in watering-hole attacks.

RELATED STORIES
Energy Sector Alert: Dragonfly Attack
Update to ICS Malware Alert
Feds: Malware Focusing on ICS
Malware Targets ICS/SCADA

Based on information ICS-CERT has obtained from security firms Symantec and F-Secure, the software installers for these vendors ended up infected with malware known as the Havex Trojan (Backdoor.Oldrea). According to analysis, these techniques could allow attackers to access the networks of systems that have installed the Trojanized software. Symantec describes the victims as Spain, U.S., France, Italy, and Germany in that order.

Symantec posted a Security Response whitepaper that details this activity and provides indicators of compromise. Symantec also ties this campaign with previous watering hole activity, namely Trojan.Karagany and the Lightsout exploit kit.

Cisco previously identified the Trojan.Karagany as part of another watering hole attack targeting energy and oil sectors.

Havex is a Remote Access Trojan (RAT) that communicates with a Command and Control (C&C) server. The C&C server can deploy payloads that provide additional functionality.

ICS CERT identified and analyzed one payload that enumerates all connected network resources, such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the OPC standard to gather information about connected control system devices and resources within the network. The known components of the identified Havex payload do not appear to target devices using the newer OPC Unified Architecture (UA) standard.

The payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. In addition to more generic OPC server information, the Havex payload also has the capability of enumerating OPC tags. ICS-CERT is currently analyzing this payload; at this time ICS-CERT has not found any additional functionality to control or make changes to the connected hardware.

ICS-CERT testing has determined the Havex payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications.

OPC provides an open standard specification that is widely used in process control, manufacturing automation, and other applications. The technology facilitates open connectivity and vendor equipment interoperability. The original version of the OPC specification, referred to as OPC classic, uses Microsoft’s COM/DCOM (Distributed Component Object Model) technology. In 2006, the OPC Foundation released a new standard, referred to as OPC Unified Architecture (UA), which does not use COM/DCOM. The known components of the identified HAVEX malware payload do not appear to target devices using the newer OPC UA standard.

ICS-CERT tested the payload against multiple OPC servers. An example of the information gathered can be seen below:

Program was started at 09:20:11
**************************************************************************
09:20:11.0828: Start finging of LAN hosts…
09:20:18.0109: Was found 3 hosts in LAN:
01) [\\vmware-host\Shared Folders]
02) [\\FEAE35F]
03) [\\SBWIN7]
**************************************************************************
09:20:18.0203: Start finging of OPC Servers…
09:20:39.0390: Thread 01 return error code: 0x800706ba
09:20:39.0390: Thread 02 return error code: 0x80070005
09:20:39.0390: Thread 03 return error code: 0x800706ba
09:20:39.0390: Thread 05 return error code: 0x80070005
09:20:39.0390: Thread 06 return error code: 0x80070005
09:20:39.0390: Was found 2 OPC Servers.
1) [Redacted Vendor Name]
CLSID: {Redacted Class ID}
UserType: Redacted Vendor Name
VerIndProgID: Redacted Vendor Name
OPC version support: +++
2) [Redacted Vendor Name]
CLSID: {Redacted Class ID}
UserType: Redacted Vendor Name
VerIndProgID: Redacted Vendor Name
OPC version support: ++-
**************************************************************************
09:20:39.0500: Start finging of OPC Tags…
09:20:39.0500: Thread 01 running…
09:20:39.0531: Thread 02 running…
09:20:51.0437: Thread 01 was terminated by ThreadManager(2)
09:20:51.0546: Thread 02 was terminated by ThreadManager(2)
09:20:53.0140: Thread 01 return error code: 0xfffffffe
09:20:53.0171: Thread 02 return error code: 0xfffffffe
1) Redacted Vendor Name
Saved in ‘OPCServer01.txt’

These data end up stored in a file created in the user’s TEMP directory under a random name with an extension of “.tmp.dat.” When all information ends up written to this file, an encrypted version of this file is created in the same directory with a random name and a “.tmp.yls” extension. The plain text file then deletes.

In addition to more generic OPC server information, the Havex payload also has the capability of enumerating OPC tags. Specifically, the server is queried for tag name, type, access and id. OPC tag information that is collected is written to a separate file “OPCServerXX.txt” where XX is a number beginning from one and incrementing every time OPC tag information has been retrieved from an OPC server. See the chart below:

OPC Server[\\Redacted Vendor Name]
Server state: 1
Group count value: 0
Server band width: ffffffff
[root]
Redacted Vendor Info

None of the versions of the Havex malware payload that have been analyzed thus far contain any functionality to control or make changes to connected control system devices.



Leave a Reply

You must be logged in to post a comment.