Many threat actors begin to adopt Havoc Framework
A recent research by security company ZScaler, reports that threat actors are increasingly using the Havoc Framework for their malicious activities.
Havoc is a toolkit that provides attackers with a wide range of capabilities, such as creating malware, exploiting vulnerabilities, and conducting reconnaissance. It also has built-in evasion techniques that help it avoid detection by security tools:
Cross-platform UI written in C++ and Qt
- Modern, dark theme based on Dracula
Written in Golang
Payload generation (exe/shellcode/dll)
Customizable C2 profiles
Havoc’s flagship agent written in C and ASM
Sleep Obfuscation via Ekko or FOLIAGE
x64 return address spoofing
Indirect Syscalls for Nt* APIs
Variety of built-in post-exploitation commands
Custom Agent Support
In the most recent campaign analysed by ZScaler, the framework was used to attack financial institutions, government organisations and other high-value targets.
One of the key advantages of Havoc is its modular architecture, which allows attackers to easily add or remove features as needed. This makes it a versatile and adaptable tool for conducting a variety of attacks.
The Havoc C2 framework campaign highlights the importance of proper cybersecurity measures in today’s digital world. The use of payloads and CnC servers to execute malicious commands and gather sensitive information showcases the ever-present threat of cyber attacks. The scenario described in the blog demonstrates the capabilities of such campaigns and the need for organizations to stay vigilant and protect their systems. With the rise of technology, the need for robust security solutions becomes increasingly vital, and organizations must take proactive steps to ensure the safety of their systems and data.
To protect against attacks based on the Havoc framework, organisations are advised to monitor and block the following list of Indicators of Compromise (IoC):