Software: Backdoor.Oldrea, Havex

From attackics
Jump to navigation Jump to search
Backdoor.Oldrea, Havex
Software
ID S0003
Aliases Backdoor.Oldrea, Havex
Type Malware

Backdoor.Oldrea is a Remote Access Trojan (RAT) that communicates with a Command and Control (C2) server. The C2 server can deploy payloads that provide additional functionality. One payload has been identified and analyzed that enumerates all connected network resources, such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system devices and resources within the network.12345678

Associated Software Descriptions

  • Backdoor.Oldrea - 6
  • Havex - 3

Techniques Used

  • Denial of Service - The Backdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications.1
  • Point & Tag Identification - The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices.13
  • Remote System Discovery - The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network.4
  • Remote System Information Discovery - The Backdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process.13

Groups

The following groups use this software: