eWON (HMS Networks) - isotope¹³

Incident Summary

eWON VPN software installer distributed Havex.

Belgian ICS vendor eWON (later acquired by HMS Networks), which provides remote connectivity solutions like VPN software for industrial equipment, was targeted by the DragonFly campaign. Legitimate software installers for their products (e.g., eCatcher VPN client) available on their website were compromised to include the Havex RAT. This record tracks the eWON product scope specifically; related Havex vendor compromises are tracked separately.

Date: 2013-01-01 to 2014-06-01
Category: Commercial
Target Surface: Distribution
Insertion Phase: distribution
Impact: Backdoor
Cause: Website compromise

What Was Affected

Package eWON (HMS Networks)

LanguageC++

ComponentApplication

Artifact typebinary archive

Domain typeproject download host

Domain ewon.biz

Compromised Versions

Specific software installers for products like eCatcher during the compromise window.

Incident Context

Motive: Espionage
Attribution: Nation-state
Transitive: No
Observed Duration: 516 days

Evidence

Compromised Artifacts

Trojanized eWON eCatcher VPN client installer, downloaded from ewon.biz during 2013-2014.
Compromised installer filename variations reported as: MBBActiveServ.exe, eCatcher_Setup.exe (specific names for eWON might vary, these are examples from the campaign)

Current Artifacts and Analysis

Indicators and Changes

Hashes

sha256:09a35ac2f7f9ca156c3a2ab2466c029976535390099101632e904a7ca3f6764d
sha256:4a1a783a11c1a2a9d5915717b16ebb5012c685f4457a08246666d7d2f7dcb238
md5:f691c8f16e290f829710ff0a18ff2532

External References

threatpost.com/motives-behind-havex-ics-malware-campaign-remain-a-mystery/107046

Source Data

Source record: proprietary/ewon/meta.yaml