Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Are hackers wreaking Havex on your network?

MarthaAviles ‎07-03-2014 09:36 AM - edited ‎09-25-2015 08:10 AM

Havex, also referred to as “Energetic Bear,” is a piece of Windows malware that is actively being utilized in the wild in attacks against critical infrastructure, specifically targeting the energy sector in Western Europe and North America. This threat to enterprise security is a remote access Trojan (RAT) that is used to perform reconnaissance and assist in delivering additional payloads to the target. Once installed, it fingerprints the victim machine (users, files, directories, etc.) it sends and receives information from compromised PHP web servers.


Havex can be delivered to the target in multiple ways:

  • Spam/Phishing
  • Watering-hole attacks
  • Exploit Kits (Hello/Lights Out)
  • Masquerading as a legitimate (trojanized) download

 Let’s take a look at a sample of this malware (SHA1: 7f249736efc0c31c44e96fb72c1efcc028857ac7)


The sample we analyzed was a trojanized version of VPN software.  Upon execution, this software loads and activates the malware which starts obtaining information about the system and waiting to receive commands. 















So now what? Is there a way to protect yourself from Havex?

Well that’s the good news—HP TippingPoint customers are protected from this malware’s outbound communication attempts. Next Tuesday a specific filter, 16455, will be published in our HP TippingPoint DVLabs weekly Digital Vaccine package for full coverage. In the interim, please contact HP TippingPoint support or your local Solution Architect to receive a custom filter for immediate use.

Protection from the Hello and Lights Out exploit kit are provided today by filters:

  • 12877: HTTP: Oracle Java Malicious Archive File Download
  • 13244: HTTP: Malicious Jar File Download (ZDI-13-153)
  • 13187: HTTP: Malicious Jar File Download
  • 12916: HTTP: Microsoft Internet Explorer offsetParent Use-After-Free Vulnerability
  • 12917: HTTP: Microsoft Internet Explorer offsetParent Use-After-Free Vulnerability
  • 12918: HTTP: Microsoft Internet Explorer offsetParent Use-After-Free Vulnerability

Stay ahead of the bad guys with HP TippingPoint—we are always on your side and understand that when it comes to protecting your network, every second matters. 


HP TippingPoint Network Security solutions

When every second matters, HP TippingPoint delivers industry-leading security intelligence powered by HP TippingPoint DVLabs—keeping you ahead of the threats. With simple, reliable and effective products including TippingPoint Next-Generation Intrusion Prevention System (IPS),  TippingPoint Next-Generation Firewall (NGFW), and the TippingPoint Security Management System, we are on your side, delivering proactive network security protection.  Learn more about how HP TippingPoint can help you with your network security solutions.


0 Kudos
About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Jun 7-9
Las Vegas
Discover 2016 Las Vegas
Discover 2016 in Las Vegas, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference and is the place to meet the world’s top information security talent, discuss new products and share information...
Read more
View all