Threat actors are switching from paid options like Cobalt Strike and Brute Ratel to a new open-source command and control (C2) framework called Havoc, according to security researchers.
Havoc is cross-platform and uses indirect syscalls, return address stack spoofing, and sleep obfuscation to get around Microsoft Defender on current Windows 11 devices, which is one of its most intriguing features.
Havoc, like other exploitation kits, has a lot of modules that let hackers and pen testers do different things on exploited devices. These tasks include running commands, managing processes, downloading more payloads, manipulating Windows tokens, and running shellcode.
The “attacker” is able to view all of their compromised devices, events, and tasks’ output through a web-based management console.
An unknown threat group recently used this post-exploitation kit as part of an attack campaign against an undisclosed government organization at the beginning of January.
The shellcode loader dropped on compromised systems will disable Event Tracing for Windows (ETW), according to the Zscaler ThreatLabz research team, and the final Havoc Demon payload is loaded without the DOS and NT headers to avoid detection.
A report from the research team at ReversingLabs earlier this month revealed that the framework was also deployed using a malicious npm package (Aabquerys) typosquatting legitimate module.
Lucija Valenti, a threat researcher at ReversingLabs, stated, “Demon.bin is a malicious agent with typical RAT (remote access trojan) functionalities that was generated using an open source, post-exploitation, command and control framework named Havoc.”
“It supports building malicious agents in a variety of formats, including shellcode, PE DLL, and Windows PE executable.”
Cobalt Strike has become the most common tool used by various threat actors to drop “beacons” on their victims’ breached networks for later movement and delivery of additional malicious payloads. However, as defenders have improved at detecting and stopping their attacks, some of them have also recently begun looking for alternatives.
Brute Ratel and Sliver are two additional options that assist them in evading antivirus and Endpoint Detection and Response (EDR) solutions, as previously reported by BleepingComputer.
A wide range of threat groups, including financially motivated cybercrime gangs and state-backed hacking groups, have already conducted field tests on these two C2 frameworks.
Mandiant and CrowdStrike ex-red teamer Chetan Nayak created the post-exploitation toolkit Brute Ratel, which has been used in attacks that are thought to be related to the Russian-sponsored hacking group APT29 (also known as CozyBear). Some Brute Ratel licenses may also have been acquired by former Conti ransomware gang members at the same time.
Microsoft also said in August 2022 that the Go-based Sliver C2 framework, developed by researchers at cybersecurity firm BishopFox, is now being used by multiple threat actors, including state-sponsored groups and cybercrime gangs (APT29, FIN12, and Bumblebee/Coldtrain) in their attacks instead of Cobalt Strike.