Software: Backdoor.Oldrea, Havex

From enterprise
Jump to: navigation, search
Backdoor.Oldrea, Havex
Software
ID S0093
Aliases Backdoor.Oldrea, Havex
Type Malware
Platform Windows

Backdoor.Oldrea is a backdoor used by Dragonfly. It appears to be custom malware authored by the group or specifically for it.1

Techniques Used

  • File and Directory Discovery - Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.1
  • Data Encrypted - Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.1
  • Data Obfuscation - Some Backdoor.Oldrea samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.1
  • Credential Dumping - Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.1
  • File Deletion - Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.1

Groups

The following groups use this software: