Hackers start using Havoc post-exploitation framework in attacks

[silversurfer]

Content source

https://www.bleepingcomputer.com/news/security/hackers-start-using-havoc-post-exploitation-framework-in-attacks/

Security researchers are seeing threat actors switching to a new and open-source command and control (C2) framework known as Havoc as an alternative to paid options such as Cobalt Strike and Brute Ratel.

Among its most interesting capabilities, Havoc is cross-platform and it bypasses Microsoft Defender on up-to-date Windows 11 devices using sleep obfuscation, return address stack spoofing, and indirect syscalls.

An unknown threat group recently deployed this post-exploitation kit in early January as part of an attack campaign targeting an undisclosed government organization.

As the Zscaler ThreatLabz research team that spotted it in the wild observed, the shellcode loader dropped on compromised systems will disable the Event Tracing for Windows (ETW) and the final Havoc Demon payload is loaded without the DOS and NT headers, both to evade detection.

The framework was also deployed via a malicious npm package (Aabquerys) typosquatting legitimate module, as revealed in a report from ReversingLabs' research team earlier this month.

"Demon.bin is a malicious agent with typical RAT (remote access trojan) functionalities that was generated using an open source, post-exploitation, command and control framework named Havoc," ReversingLabs threat researcher Lucija Valentić said. "It supports building malicious agents in several formats including Windows PE executable, PE DLL and shellcode."

Hackers start using Havoc post-exploitation framework in attacks

Security researchers are seeing threat actors switching to a new and open-source command and control (C2) framework known as Havoc as an alternative to paid options such as Cobalt Strike and Brute Ratel.

www.bleepingcomputer.com