Cybercriminals Use Havoc Post-Exploitation Framework in Attack Campaigns

According to security analysts, malicious actors have started using an open-source command and control (C2) framework called Havoc as an alternative to more expensive solutions like Cobalt Strike and Brute Ratel. One of the most noteworthy features of Havoc is its cross-platform compatibility. In addition, it can evade Microsoft Defender on contemporary Windows 11 systems using sleep obfuscation, return address stack spoofing, and indirect syscalls.

Similar to other exploitation kits, Havoc features a range of modules that enable penetration testers and malicious hackers to undertake various operations on compromised devices. These include command execution, process management, downloading of additional payloads, manipulation of Windows tokens, and execution of shellcode. These tasks can be performed through a web-based management console, which provides the attacker with visibility into all of their compromised devices, events, and the output of tasks.

In early January, an unnamed threat group leveraged this post-exploitation kit in a campaign aimed at an unidentified government agency. According to the Zscaler ThreatLabz research team, who detected the kit in the wild, the shellcode loader that is deployed on compromised systems will deactivate Event Tracing for Windows (ETW). Moreover, the ultimate Havoc Demon payload is loaded without DOS and NT headers to evade detection.

Additionally, the framework was disseminated via a malevolent npm package (Aabquerys), which was camouflaged as a legitimate module through typosquatting, as disclosed by a report from ReversingLabs’ research team earlier this month.

ReversingLabs threat researcher, Lucija Valenti?, has stated that “Demon.bin” is a malevolent agent that possesses conventional remote access trojan (RAT) capabilities, and was created using an open-source command and control framework called Havoc. ‘It supports building malicious agents in several formats including Windows PE executable, PE DLL and shellcode.’

Additional Cobalt Strike alternatives have been deployed

Cobalt Strike has emerged as the most prevalent tool employed by numerous threat actors for the deployment of “beacons” on compromised networks. These beacons facilitate the subsequent distribution and delivery of further malevolent payloads. Nonetheless, some malicious actors have begun to search for alternative solutions as security practitioners have become more adept at identifying and impeding their operations.

As previously reported by BleepingComputer and others, Brute Ratel and Sliver are among the options that can help evade antivirus software and Endpoint Detection and Response (EDR) solutions. These two C2 frameworks have been field-tested by a diverse range of threat groups, from financially-motivated cybercriminal organizations to government-sponsored hacking factions.

Brute Ratel, a post-exploitation toolkit developed by Mandiant and CrowdStrike ex-red teamer Chetan Nayak, has been utilized in attacks that are believed to be linked to the Russian-sponsored hacking group APT29 (also referred to as CozyBear). However, it is also possible that some Brute Ratel licenses have ended up in the hands of former members of the Conti ransomware gang.

In August 2022, Microsoft observed that multiple threat actors, including state-sponsored groups and cybercriminal organizations (such as APT29, FIN12, Bumblebee/Coldtrain), have turned to the Go-based Sliver C2 framework, which was developed by cybersecurity researchers at BishopFox, as an alternative to Cobalt Strike.

Advertisement