Trend Micro Spots 64-bit Version of HAVEX RAT

Researchers of Trend Micro have discovered a 64-bit Havex version which is a RAT (remote access tool) and it has been used in cyber espionage operations aiming industrial control systems (ICS).

64-bit Havex has been discovered recently although it has been afloat for fairly some time according to the security firm.

Softpedia.com reported on 29th December, 2014 stating that till recently, only 32-bit samples of the malware have been discovered but Jay Yaneza, Technical Support with Trend Micro noted that a 64-bit edition (TMPprovider023.dll, where the number highlights the version of the malware) was discovered with a compilation date of 3rd October, 2012 which is older than the latest versions which was analyzed by the researchers.

According to analysis of Trend Micro, TMPpovider023.dll creates two files in the file system and it is in responsible for communicating with command and control servers to receive instructions like downloading supplementary modules or executing commands.

It appears that a 32-bit one emerged with the name TMPprovider029.dll from the 64-bit version of the malware (v023).

According to analysis, the researchers can determine another three files which seem to be interrelated in one lone infection and all of them were compiled beginning Q2 of 2013.

Trend Micro spotted an infection revealing some tarnished files identified as BKDR_HAVEX.SM were signed using a digital certificate to make them appear as genuine software. The digital certificate seemed to be carrying IBM's signature but in actuality it was signed by the authors of the malware, say the researchers of the security firm.

HAVEX RAT has undergone many rehearsals and used in operations with ICS/SCADA and even pharmaceutical targets but it does not prevent it from being used repeatedly. Operators of ICS have to note that the configuration of HAVEX binaries look like much of what we see in regular Windows malware and more so now that we have witnessed Windows 7 64-bit infections. Blog.trendmicro.com published a blog of Trend Micro on 29th December, 2015 stating that it is vital to validate software being installed on endpoints within the environment and to regularly monitor HTTP traffic.

» SPAMfighter News - 1/7/2015