An open-source command-and-control (C2) framework known as Havoc has been adopted by attackers as an alternative to other well-known legitimate toolkits such as Cobalt Strike, Sliver, and Brute Ratel.
Cybersecurity firm Zscaler said it observed a new campaign targeting an unnamed government entity using Havoc in early January 2023.
“Although C2 frameworks are plentiful, the open-source Havoc framework is an advanced post-exploitation command and execution that can bypass the latest and updated versions of Windows 11 Defender by implementing advanced evasion techniques such as indirect system calls. It’s a control framework.Sleep obfuscation,” said researchers Niraj Shivtalkar and Niraj Shivtalkar.
The attack sequence documented by Zscaler begins with a ZIP archive embedded with decoy documents and screen saver files designed to download and launch the Havoc Demon agent on an infected host.
Demon is an implant generated via the Havoc framework, similar to the Beacon delivered via Cobalt Strike, that provides persistent access and delivers malicious payloads.
It also comes with various features that make detection difficult, making it a lucrative tool in the hands of threat actors, even though cybersecurity vendors oppose exploiting such legitimate red team software. It has become
“After the daemon has been successfully deployed to the target machine, the server will be able to execute various commands on the target system,” the researchers said, adding that the server logs commands and their responses when executed. The results are then encrypted and sent to the C2 server.
Havoc is also used in connection with a rogue npm module called aabquerys. This module, once installed, triggers a three-step process to obtain the Demon implant. The package has since been removed.
