Over the past 10 days we’ve seen a lot of attention on Havex malware and its variants, which target industrial control system (ICS) and SCADA users. F-Secure, Crowdstrike and Symantec were among those reporting on Havex RAT (Remote Access Trojan), also known as DragonFly, Energetic Bear, Backdoor.Oldrea and Trojan.Karagany.
Palo Alto Networks has been tracking Havex for quite a while and we’ve regularly found samples via WildFire, providing coverage via antivirus and additional indicators via URL filtering.
Similar to any other malware family or threat, Palo Alto Networks customers should use the entire solution for threat mitigation and threat prevention coverage. We recommend the following:
- Use App-ID to reduce the attack surface. Look for TCP and UDP-unknown traffic which can indicate various Trojans and RATs that are communicating outbound.
- Use SSL Decryption for Webmail. Prevent targeted attacks and watering hole attacks to personal email addresses. A single malicious RTF file, PDF or Office document is all it takes to own an organization and bypass all your protection when you don't have visibility into SSL communications.
- Use file-blocking technology. Block or at least warn via continue page on all PE (portable executables), .EXEs from being installed by employees. Consider blocking all additional high-risk targeted attack content types such as RTF files, .SCR files, .HLP files and .LNK files.
- Use IPS signatures to prevent the vulnerability from being exploited from client-side attacks, exploit kits and watering hole attacks. Consider inline blocking with a strict IPS policy. Prevent the client-side vulnerability from being exploited with a drive-by download and dropping the malware on the system.
- Use Antivirus.We continue to add specific AV coverage for hundreds of samples of Havex, Backdoor.Oldrea or Energetic Bear RAT. We previously had coverage and have added additional AV protection for newer samples for TrojanDownloader/Win32.karagany (Trojan.Karagany). Since naming for malware threats is so chaotic in the industry, our protection for Havex, Oldrea and the Energetic Bear RAT shows up as a wide variety of different names including those named including:
- Backdoor/Win32.havex.[Random]
- TrojanDownloader/Win32.karagany.[Random]
- Virus/ Multi.karagany.[Random]
- Virus/Win32.WGeneric. [Random]
- Trojan/Win32.spnr. [Random]
- Use Spyware/CnC/C2 prevention to find infected systems that may pull down additional variants. Ensure DNS detection is enabled and in blocking mode. Palo Alto Networks has a number of Spyware/CnC signatures to help in detection of previously compromised systems including:
- Karagany.Gen Command and Control Traffic, ID 13154
- Havex.Gen Command And Control Traffic, ID 13488
- Use URL Filtering with PAN-DB to prevent threats from being downloaded from known malicious domains. Various malicious IPs and domains have been added to PAN-DB based on the threat intelligence we have received. We urge users to Block on Malware domains, as well as proxy avoidance, and peer2peer. We also recommend using a "Continue page" on unknown category websites to prevent users and malware from automatically navigating to possibly newly created malicious domains.
- Focus on Prevention of Unknown and 0-day Malware using WildFire.
- Forward all incoming PE files to Wildfire to determine if any malicious executables are downloaded
- Forward all high-risk targeted attack documents types to Wildfire incoming Office Documents, PDFs and Java files to Wildfire for analysis
- Ensure RTF files are blocked or forward to WildFire at a minimum.
- Wildfire will automatically see the malicious behavior and push out AV signatures, DNS and CnC signatures to prevent additional employees from being infected.
- Leverage the Botnet Report to find infected systems. Look at the Botnet Report within PAN-OS to ensure you haven't missed already infected systems.
- Create a Sinkhole to find infected systems. Use the Pan-OS 6.0 feature to ensure you are finding already infected systems easily.
- Pay attention to updates for software. Recommend that employees not install Adobe Reader, Flash and Java updates if these pop-up. Consider installing all updates for users or have users visit the websites directly. Malware authors will prey on social engineering tactics to get your employees to install fake Reader, Flash and Java updates – but these can be part of the infection vector. Look at removing widely vulnerable software such as Java or Flash if users do not need it.
For more on Palo Alto Networks solutions for this market, visit our ICS and SCADA resource page.