There’s a fresh open-source command-and-control (C2) framework on the loose, dubbed Havoc, as an alternative to the popular Cobalt Strike, and other mostly legitimate tools, that have been abused to spread malware.
ReversingLabs wrote about Havoc earlier this month in connection with a malicious npm package called Aabquerys, noting that it was created by a malware developer called C5pider. Now researchers with Zscaler’s ThreatLabz threat intelligence unit say Havoc is being used in a campaign targeting a government organization.
“While C2 frameworks are prolific, the open-source Havoc framework is an advanced post-exploitation command and control framework capable of bypassing the most current and updated version of Windows 11 Defender,” the ThreatLabz researchers wrote in a report this week.
It’s also difficult to detect. The post-exploitation framework uses a range of sophisticated evasion techniques, including indirect syscalls, sleep obfuscation, and return address stack spoofing, to evade detection by infosec tools.
Cybercriminals use rogue servers as C2 systems to communicate with and send orders to malware in compromised computers. In recent years, legitimate tools like Cobalt Strike, which is used by corporate red teams for testing an organization’s security defenses, have been appropriated by criminals to gain persistence, move laterally through a victim’s network, and execute malicious payloads.
Cobalt Strike and Brute Ratel are among the most popular C2 systems, with Nighthawk, Silver, and Covenant also well-used.
Cybersecurity vendors are trying to push back against the malicious use of these tools, or at least catch them in the act. Palo Alto Networks’ Unit 42 group in December 2022 wrote that security pros are getting better at detecting Cobalt Strike attack code.
A month earlier, Google released a set of open-source Yara rules to help organizations flag and identify components of multiple versions of Cobalt Strike, adding that “since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe.”
In the latest case, ThreatLabz in early January 2023 detected in the Zscaler Cloud an executable named “pix.exe” that was downloaded from a remote server and aimed at the unnamed government organization. The eventual goal of the code is to deliver the Havoc Demon payload.
ReversingLabs’s report described Havoc Demon as malware with remote access trojan (RAT) capabilities, generated by the Havoc framework.
According to ThreatLabz, Havoc Demon’s shellcode loader disables the Event Tracing for Windows feature used to trace and log events – a move to evade detection – and decrypts and executes the shellcode through Microsoft’s CreateThreadpoolWait function.
In another evasive move, Havoc’s Demon DLL is loaded without the DOS and NT headers. The payload uses a modified DJB2 hashing algorithm to resolve virtual addresses of disparate NT APIs. The attackers also use the image of “Zero Two” – a character in a Japanese anime TV series – to hide the execution and activities of the Havoc Demon payload going on in the background.
“After the demon is deployed successfully on the target’s machine, the server is able to execute various commands on the target system,” the researchers wrote.
The laundry list of commands includes downloading, uploading, copying, or removing files, displaying a file’s contents, creating a new directory or retrieving a current one, take a screenshot, and clean up and exit the system. The C2 server manages all this through a web-based console.
The ThreatLabz researchers were able to gather some information on the attackers by analyzing their infrastructure and taking advantage of operational security mistakes to get screenshots of their C2 machine through what they called a “self-compromise.”
While running the infrastructure analysis, the researchers found an open directory on a server that included multiple demon and Metasploit payloads as well as internal logs and screenshots. Included in the directory was a HTML file that showed a screenshot of the attackers’ machine.
They also determined the miscreants’ IP was located in New York. ®