Check Point Protects from the HAVEX Malware Targeting ICS/SCADA Systems

Dragonfly Cyber Espionage campaign overview

Havex is a Remote Administration Tool (RAT) used recently by the “dragonfly” cyber espionage group. They were using the Havex malware to target Industrial Control Systems (ICS) and SCADA systems at energy companies across Europe and the US.

Several methods were used to infect computers with the Havex RAT, such as spear phishing or a watering hole attack. For example, using a watering hole attack, the group would take control of ICS/SCADA vendor’s website and infect software that customers downloaded.
One of the many malicious samples that were analyzed by the Check Point security research group is software named “MB connect.”

Figure 1 – Infected MBcheck software – as seen on a PC screen upon launch

This sample software appears to be legitimate at first glance; however, it initiates a malicious DLL named—mbcheck.dll—that runs the malware. As a Remote Administration Tool, Havex opens a door for the criminals to take control of the infected system.


Figure 2 – MBcheck software injects malicious DLL and communicates with CnC once the “Start Checkup” button is clicked 

Upon launch, the malware remains “silent” on the device, waiting for the end-user to click the “start checkup” button. A few minutes after this button is pressed—it opens a session to a command control network, waiting for further commands.

Check Point protects from the HAVEX RAT

The Havex RAT used by the Dragonfly cyber espionage group, can be detected by a Check Point Security Gateway either when being downloaded by a system operator (pre-infection), or once an infected device executes it and tries to communicate with a command & control network (post infection).

The following Threat Prevention layers provide protection from this RAT:

IPS Software Blade:
 Protects from downloading software created by the LightsOut exploit tool—used to deliver Havex.

On 07/08/2014—Check Point released a new IPS signature that detects and blocks any LightsOut/Hello exploit kit attempts. This exploit kit is used to deliver the HAVEX RAT.
IPS Signature Name: LightsOut/Hello Exploit Kit (CVE-2013-2465).

This signature is classified in the IPS “recommended profile”, allowing any organization that uses this profile automatic protection (for IPS updates that were performed after July 8th).
Antivirus Software Blade: Protects from downloading software that is known to be infected with the Havex RAT.

Check Point ThreatCloud is updated with domains and URLs that are known to be used by the Dragonfly cyber espionage group. All threat intelligence indicators are transformed to security protections on the Security Gateway, preventing users from downloading files from known-malware-infested web sites.
All organizations that have enabled the Check Point AV Software Blade in “prevention mode” are protected. Accessing Havex infested sites and domains will be blocked.
Anti-Bot Software Blade: Prevents infected computers from communicating with the RAT operator.

The Check Point research team has analyzed the network fingerprint of the Havex RAT. This signature was added to the Anti-Bot software blade. A Security Gateway which identifies the Havex network patterns, highlights the infected devices, and stops the connection to the RAT operator. For more information on the network connection behavior, see Appendix 1.

All orgnazations that have the Check Point Anti-Bot Software Blade enabled are now protected.


The Dragonfly operation using the Havex RAT is the widest and most severe operation against ICS and SCADA systems since Stuxnet. This operation demonstrates a sophisticated, multi-layered method that uses malware and social engineering techniques to mislead device-operators into downloading and executing malware from a trusted software vendor.

The Check Point Threat Prevention layers: IPS, Antivirus and Anti-Bot software blades protect organizations form downloading this tool and from letting it communicate with its operator.

Appendix 1- HAVEX Network Analysis

Once the “start checkup” button is clicked (see Figure 2 above), the malware starts to run. Then, it waits for several minutes before opening a communication channel with its CnC.

Havex performs an HTTP POST request- as of the below description:


Figure 3 – Havex HTTP post communication pattern

Another example for an HTTP POST request, to another CnC domain looks like that:


Figure 4 – Havex HTTP post communication pattern – another example

Information is sent from the infected device within the HTTP POST request parameters.

Notice the response of the server (encoded in Base64), that contains the string “havex” (marked on Figures 3 and 4 above).

(Download PDF)