Software: Backdoor.Oldrea, Havex
Backdoor.Oldrea is a Remote Access Trojan (RAT) that communicates with a Command and Control (C2) server. The C2 server can deploy payloads that provide additional functionality. One payload has been identified and analyzed that enumerates all connected network resources, such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system devices and resources within the network.12345678
Associated Software Descriptions
- Role Identification - The Backdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process.13
- Control Device Identification - The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices.13
- Remote System Discovery - The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network.4
- Location Identification - The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The tag names, depending on the naming convention, can provide information about facilities and locations.13
- Denial of Service - The Backdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications.1
- Supply Chain Compromise - The Backdoor.Oldrea RAT is distributed through trojanized installers planted on compromised vendor sites.3
- Spearphishing Attachment - The Backdoor.Oldrea RAT is distributed through a trojanized installer attached to emails.3
- Automated Collection - Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze.3
- User Execution - Execution of Backdoor.Oldrea relies on a user opening a trojanized installer attached to an email.37
- Point & Tag Identification - Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id.5
The following groups use this software:
- ICS-CERT. (2018, August 22). Advisory (ICSA-14-178-01). Retrieved April 1, 2019.
- ICS-CERT. (2018, August 22). Alert (ICS-ALERT-14-176-02A). Retrieved April 1, 2019.
- Daavid Hentunen, Antti Tikkanen. (2014, June 23). Havex Hunts For ICS/SCADA Systems. Retrieved April 1, 2019.
- Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell. (2015, December 08). A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin. Retrieved April 1, 2019.
- Kyle Wilhoit. (2014, July 17). Havex, It’s Down With OPC. Retrieved October 22, 2019.
- Symantec. (2014, June 30). Dragonfly: Western Energy Companies Under Sabotage Threat. Retrieved October 22, 2019.
- Kyle Wilhoit. (n.d.). ICS Malware: Havex and Black Energy. Retrieved October 22, 2019.
- Nell Nelson. (2016, January 18). The Impact of Dragonfly Malware on Industrial Control Systems. Retrieved October 22, 2019.