Dragonfly Cyber Espionage campaign overview
Havex is a Remote Administration Tool (RAT) used recently by the “dragonfly” cyber espionage group. They were using the Havex malware to target Industrial Control Systems (ICS) and SCADA systems at energy companies across Europe and the US.
Figure 1 – Infected MBcheck software – as seen on a PC screen upon launch
This sample software appears to be legitimate at first glance; however, it initiates a malicious DLL named—mbcheck.dll—that runs the malware. As a Remote Administration Tool, Havex opens a door for the criminals to take control of the infected system.
Figure 2 – MBcheck software injects malicious DLL and communicates with CnC once the “Start Checkup” button is clicked
Upon launch, the malware remains “silent” on the device, waiting for the end-user to click the “start checkup” button. A few minutes after this button is pressed—it opens a session to a command control network, waiting for further commands.
Check Point protects from the HAVEX RAT
The Havex RAT used by the Dragonfly cyber espionage group, can be detected by a Check Point Security Gateway either when being downloaded by a system operator (pre-infection), or once an infected device executes it and tries to communicate with a command & control network (post infection).
The following Threat Prevention layers provide protection from this RAT:
IPS Software Blade: Protects from downloading software created by the LightsOut exploit tool—used to deliver Havex.
On 07/08/2014—Check Point released a new IPS signature that detects and blocks any LightsOut/Hello exploit kit attempts. This exploit kit is used to deliver the HAVEX RAT.
IPS Signature Name: LightsOut/Hello Exploit Kit (CVE-2013-2465).
This signature is classified in the IPS “recommended profile”, allowing any organization that uses this profile automatic protection (for IPS updates that were performed after July 8th).
Antivirus Software Blade: Protects from downloading software that is known to be infected with the Havex RAT.
Check Point ThreatCloud is updated with domains and URLs that are known to be used by the Dragonfly cyber espionage group. All threat intelligence indicators are transformed to security protections on the Security Gateway, preventing users from downloading files from known-malware-infested web sites.
All organizations that have enabled the Check Point AV Software Blade in “prevention mode” are protected. Accessing Havex infested sites and domains will be blocked.
Anti-Bot Software Blade: Prevents infected computers from communicating with the RAT operator.
The Check Point research team has analyzed the network fingerprint of the Havex RAT. This signature was added to the Anti-Bot software blade. A Security Gateway which identifies the Havex network patterns, highlights the infected devices, and stops the connection to the RAT operator. For more information on the network connection behavior, see Appendix 1.
All orgnazations that have the Check Point Anti-Bot Software Blade enabled are now protected.
The Dragonfly operation using the Havex RAT is the widest and most severe operation against ICS and SCADA systems since Stuxnet. This operation demonstrates a sophisticated, multi-layered method that uses malware and social engineering techniques to mislead device-operators into downloading and executing malware from a trusted software vendor.
The Check Point Threat Prevention layers: IPS, Antivirus and Anti-Bot software blades protect organizations form downloading this tool and from letting it communicate with its operator.
Appendix 1- HAVEX Network Analysis
Once the “start checkup” button is clicked (see Figure 2 above), the malware starts to run. Then, it waits for several minutes before opening a communication channel with its CnC.
Havex performs an HTTP POST request- as of the below description:
Figure 3 – Havex HTTP post communication pattern
Another example for an HTTP POST request, to another CnC domain looks like that:
Figure 4 – Havex HTTP post communication pattern – another example
Information is sent from the infected device within the HTTP POST request parameters.
Notice the response of the server (encoded in Base64), that contains the string “havex” (marked on Figures 3 and 4 above).