The global security leader F-Secure deeply researched and analysed the Havex malware family as it is used in targeted attacks against various industry sectors. The main components of Havex include Remote Access Trojan (RAT) and a server written in PHP. The research by F-Secure reveals that there are three software vendor sites that were compromised in this manner. The software installers of these sites were trojanized to make way for Havex RAT. All the three companies are involved in the development of applications and appliances for the purpose of industrial application. Two of these organisations supply remote management software for ICS systems and the third one develop cameras and related software.
F-Secure further analysed that Havex took special interest in Industrial Control System (ICS). The aim of the attackers is to trojanize the software available for download at the ICS manufacturer websites with the purpose to infect the computers attached to the ICS environment. F-Secure noticed and gathered 88 variants of the Havex RAT, which were used in gaining the access to the data from networks and machines. In the analysis the company investigated 146 command and control (C&C) servers contacted by the variants and also traced down 1500 IP addresses in an attempt to find out the victim.
The F-Secure research also indicates that the attackers used compromised websites and blogs as C&C servers, as it help them to easily infect the machinery used in ICS. This also makes it clear that the attackers are interested in both the networks of the company and the ICS systems of the organisations.