Many threat actors begin to adopt Havoc Framework
A recent research by security company ZScaler, reports that threat actors are increasingly using the Havoc Framework for their malicious activities.
Havoc is a toolkit that provides attackers with a wide range of capabilities, such as creating malware, exploiting vulnerabilities, and conducting reconnaissance. It also has built-in evasion techniques that help it avoid detection by security tools:
Features
Client
Cross-platform UI written in C++ and Qt
- Modern, dark theme based on Dracula
Teamserver
Written in Golang
-
Multiplayer
-
Payload generation (exe/shellcode/dll)
-
HTTP/HTTPS listeners
-
Customizable C2 profiles
-
External C2
Demon
Havoc’s flagship agent written in C and ASM
-
Sleep Obfuscation via Ekko or FOLIAGE
-
x64 return address spoofing
-
Indirect Syscalls for Nt* APIs
-
SMB support
-
Token vault
-
Variety of built-in post-exploitation commands
Extensibility
-
External C2
-
Custom Agent Support
- Talon
-
Python API
-
Modules
In the most recent campaign analysed by ZScaler, the framework was used to attack financial institutions, government organisations and other high-value targets.
One of the key advantages of Havoc is its modular architecture, which allows attackers to easily add or remove features as needed. This makes it a versatile and adaptable tool for conducting a variety of attacks.
The Havoc C2 framework campaign highlights the importance of proper cybersecurity measures in today’s digital world. The use of payloads and CnC servers to execute malicious commands and gather sensitive information showcases the ever-present threat of cyber attacks. The scenario described in the blog demonstrates the capabilities of such campaigns and the need for organizations to stay vigilant and protect their systems. With the rise of technology, the need for robust security solutions becomes increasingly vital, and organizations must take proactive steps to ensure the safety of their systems and data.
To protect against attacks based on the Havoc framework, organisations are advised to monitor and block the following list of Indicators of Compromise (IoC):
IP/Domain/MD5 |
---|
146[.]190[.]48[.]229 |
ttwweatterarartgea[.]ga |
5be4e5115cdf225871a66899b7bc5861 |
bfa5f1d8df27248d840d1d86121f2169 |