Corey Thuen of Digital Bond Labs describes in technical detail how Havex/Dragonfly enumerated OPC servers.
Havex is the second ICS malware ever seen in the wild.
5. Havex Analysis
Analysis was conducted against the Havex Remote Access Trojan (RAT) that
appeared as a trojanized installer for mbconnect
Analysis of Command & Control traffic
requests
Analysis of Downloadable Modules
28. Code Flow - Find Systems with DCOM
OPC uses DCOM for communication
DCOM supports enumeration of connected systems
Step 1 when wanting OPC data is to find available OPC Servers
30. Code Flow - Enumerate OPC Servers
OPC servers have “tags” that are data points, controls, etc.
OPC tag information is valuable to attackers
Havex uses DCOM to get the list of tags on each OPC server to which it can
connect
33. Summary
1. Havex infects system
2. RAT downloads modules from C2 servers
3. OPC module scans for local OPC servers including tag lists
4. OPC information is packaged up and sent to C2
34. Conclusions
• Havex is not attempting to hide
• No new vulnerabilities or 0-days are used
• OPC Information is collected and delivered to C2
• No control is attempted
These modules are reconnaissance
For who? For what purpose? Is there a specific target desired?