Havex SCADA RAT Summary Report: Analyst Feedback and Remediations

Oh yeah, get prepared. The CrowdStrike Global Threat Report provides insight on the Havex SCADA RAT which has been targeting SCADA environments.

The Havex RAT is used to target companies which are active in the energy sector.


Although the attackers appear to focus primarily on victims in the energy sector, other verticals are affected. CrowdStrike has observed compromised hosts in:

  • European government;
  • European, U.S., and Asian academia;
  • European, U.S., and Middle Eastern manufacturing and construction industries;
  • European defense contractors;
  • European energy providers;
  • U.S. healthcare providers;
  • European IT providers;
  • European precision machinery tool manufacturers; and research institutes
havex rat
havex rat

The researchers from MalwareMustDie have published a PasteBin which provides insight on the infected environments and it shows how the Havex SCADA RAT infected her targets.

exploitation analysis
exploitation analysis

Havex live environments

havex live environments
havex live environments
havex rat trojan
havex rat trojan

Download the FULL CrowdStrike PDF (Mirror on Cyberwarzone: CrowdStrike_Global_Threat_Report_2013)

PasteBin files:

  • http://pastebin.com/raw.php?i=qCdMwtZ6
  • http://pastebin.com/2x1JinJd


Known Havex MD5 hashes

  • 2b2a2b6f962b5a69f880480dcb9646e2 (Malwr.com)
  • 979464521c927226ac683ec4c88c6218 (Malwr.com)

Filename found sample:

  • TmProvider.dll