Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- HAVEX Payload Delivery
| Persistence TTPs Run key registry modifications: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"TmProvider" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"TmProvider" HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Internet Explorer\InternetRegistry"fertger" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry HAVEX Payload Delivery Energetic Bear used three major methods to deliver malware. 1) Malicious PDF via spear-phishing Spear-phishing was used to infect targeted individuals for initial information gathering by delivering malicious PDF documents—in this case, PDF/SWF exploits targeting CVE-2011-0611 to drop malware Even with this running through 2014, older exploits were still valuable. 2) Malicious JAR and HTML via a watering hole attackWatering hole attacks were used to deliver Backdoor.Oldrea by Symantec. These attacks exploited CVE-2013-2465, CVE- 2013-1347, and CVE-2012-1723 in Java 6, Java 7, IE 7, and IE 8 to drop the HAVEX malware. The exploits appeared to be modified Metasploit Java exploits built to deliver the HAVEX loader. 3) Legitimate software loaders Energetic Bear compromised several legitimate ICS vendor websites. Binaries such as camera drivers and PLC management software were modified and made to deliver the HAVEX malware. In order to complete the third attack type, the threat actor had to compromise several ICS vendors’ websites. Sometimes called a Strategic Web Compromise (SWC) attack, these have become a favorite attack method from Russian and Chinese-based threats. In this case, SWC attacks were used to compromise a site that would most likely be visited by customers or users of ICS systems. This made the watering hole or binary compromises much more useful against the targeted victim. Using these three attack types demonstrated an organized and arguably sophisticated threat actor. The team behind this planned and organized a scenario to be successful against its target audience. Once malware was delivered, three major tasks were observed: ● System enumeration tools collected information, such as the OS version, machine name and username, and file and directory listings. ● A credential-harvesting tool extracted stored passwords from various web browsers. ● Secondary implants communicated with different C infrastructures using custom protocols and payloads executed in memory. Download 4.62 Mb. Share with your friends:
|