Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Find 64-bit Version of Havex RAT

Trend Micro researchers have come across a 64-bit version of Havex, a remote access tool (RAT) that has been used in cyber espionage campaigns aimed at industrial control systems (ICS).

Trend Micro researchers have come across a 64-bit version of Havex, a remote access tool (RAT) that has been used in cyber espionage campaigns aimed at industrial control systems (ICS).

According to the security firm, while the 64-bit Havex has only been spotted recently, it has been around for quite some time.

In the campaign known as Dragonfly (Energetic Bear/Crouching Yeti), the threat actors appeared to be using only a 32-bit version of Havex since most of the systems they targeted ran the outdated Windows XP operating system. However, researchers at Trend Micro have spotted two Windows 7 infections in which the 64-bit version of the threat had been used.

One of the files observed in the infection is TMPpovider023.dll (BKDR64_HAVEX.A), a component responsible for command and control (C&C) server instructions for downloading files and executing commands.

The “23” in the file name represents the version of Havex. The file in question was initially compiled in October 2012 and designed to run on 64-bit operating systems. In version 29 of the malware, the 64-bit file was upgraded to a 32-bit Havex, experts said.

“The compile time of TMPprovider023.dll (v023) is earlier than any of the three other files, indicating that the 64-bit file pre-dates the other 32-bit files in this infection. In fact, standalone execution of the 32-bit module results to a file called TMPprovider029.dll, which definitely is v029 of the HAVEX RAT,” Trend Micro explained in a blog post.

Versions 23 and 29 of Havex appear to use the same infrastructure since they both communicate with the same C&C server. Researchers say there are currently four IP addresses communicating with the C&C server.

Advertisement. Scroll to continue reading.

In one of the infections spotted by Trend Micro, some of the malicious files, detected as BKDR_HAVEX.SM, were signed with a digital certificate in an effort to make them look like legitimate software. The digital certificate appeared to be signed by IBM, but in reality it was self-signed by the malware authors.

“While the HAVEX RAT has gone through several iterations—used in campaigns with ICS/SCADA and even pharmaceutical targets, nothing prevents it from being used again and again,” Trend Micro said. “ICS operators have to take note that the structure of the HAVEX binaries resemble much of what we see in common Windows malware – more so now that we’ve seen Windows 7 64-bit infections. It is thereby important to validate software being installed on endpoints within the environment, and to frequently monitor HTTP traffic.”

Havex and the Energetic Bear campaign were recently mentioned in an IT security report published by Germany’s Federal Office for Information Security (BSI). According to the government agency, several German companies have been targeted in the cyber espionage operation.

RelatedRegister Your Interest For the 2015 ICS Cyber Security Conference 

RelatedSouth Korea Nuclear Plants Stage Drill Against Cyber Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.