Recent research revealed that several threat actors are using an alternative post-exploitation tool called the Havoc framework for Cobalt Strike and Brute Ratel. This new framework is a new open-source command and command-and-control infrastructure.
Havoc is cross-platform that could bypass Microsoft Defended on Windows 11 through sleep obfuscation, indirect syscalls, and return address stack spoofing.
The newly discovered tool also includes modules that could allow pen testers and amateur and professional hackers to execute different tasks on compromised devices. Some of the confirmed abilities of Havoc are executing commands, downloading additional payloads, managing processes, running shellcode, and manipulating Windows tokens.
Researchers explained that these features are done through a web-based management console that enables attackers to review their infected devices, events, and output from tasks.
A January cybersecurity incident is when the Havoc framework first made its appearance.
According to investigations, an identified threat group recently launched the Havoc framework as part of their post-exploitation kit in an operation that targeted an undisclosed government organisation.
In addition, the deployed shellcode loader from the threat actors on the compromised system has already disabled the Event Tracing for Windows as the research first spotted the tool in the wild.
The threat actors loaded the final Havoc Demon payload without the DOS and NT headers to bypass security detections from AV solutions. Furthermore, a separate researcher disclosed that the framework could arrive via a malicious NMP package, a typo-squatted legitimate module.
The researcher explained that Demon[.]bin is a compromised agent with standard remote access trojan (RAT) functionalities. Havoc generated these functions using an open-source, command-and-control framework and a post-exploitation feature called Havoc.
Havoc could also support building compromised agents in multiple formats such as shellcode, PE DLL, and Windows PE executable.
Cybersecurity experts stated that threat groups have started using alternative tools as their beacons to execute their malicious intent. Hence, Cobalt Strike beacons might not be the only framework threat actors could use for future attacks.
Therefore, researchers should pay attention to the threats posed by the Havoc framework since many threat actors could adopt this tool soon.
