A recent research by security company ZScaler, reports that threat actors are increasingly using the Havoc Framework for their malicious activities.

Havoc is a toolkit that provides attackers with a wide range of capabilities, such as creating malware, exploiting vulnerabilities, and conducting reconnaissance. It also has built-in evasion techniques that help it avoid detection by security tools:

Features

Client

Cross-platform UI written in C++ and Qt

  • Modern, dark theme based on Dracula

Teamserver

Written in Golang

  • Multiplayer

  • Payload generation (exe/shellcode/dll)

  • HTTP/HTTPS listeners

  • Customizable C2 profiles

  • External C2

Demon

Havoc’s flagship agent written in C and ASM

  • Sleep Obfuscation via Ekko or FOLIAGE

  • x64 return address spoofing

  • Indirect Syscalls for Nt* APIs

  • SMB support

  • Token vault

  • Variety of built-in post-exploitation commands

Extensibility

  • External C2

  • Custom Agent Support

    • Talon
  • Python API

  • Modules

In the most recent campaign analysed by ZScaler, the framework was used to attack financial institutions, government organisations and other high-value targets.

killchain

One of the key advantages of Havoc is its modular architecture, which allows attackers to easily add or remove features as needed. This makes it a versatile and adaptable tool for conducting a variety of attacks.

The Havoc C2 framework campaign highlights the importance of proper cybersecurity measures in today’s digital world. The use of payloads and CnC servers to execute malicious commands and gather sensitive information showcases the ever-present threat of cyber attacks. The scenario described in the blog demonstrates the capabilities of such campaigns and the need for organizations to stay vigilant and protect their systems. With the rise of technology, the need for robust security solutions becomes increasingly vital, and organizations must take proactive steps to ensure the safety of their systems and data.


To protect against attacks based on the Havoc framework, organisations are advised to monitor and block the following list of Indicators of Compromise (IoC):

IP/Domain/MD5
146[.]190[.]48[.]229
ttwweatterarartgea[.]ga
5be4e5115cdf225871a66899b7bc5861
bfa5f1d8df27248d840d1d86121f2169