Havoc: The Open-Source C2 Framework That's Gaining Traction Among Threat Actors
The use of legitimate red team software by threat actors to bypass security controls is becoming increasingly prevalent. In the latest development, a new campaign has emerged that utilizes an open-source command-and-control (C2) framework called Havoc as an alternative to well-known toolkits such as Cobalt Strike, Sliver, and Brute Ratel.
According to cybersecurity firm Zscaler, Havoc is an advanced post-exploitation command-and-control framework that is capable of bypassing the most current and updated version of Windows 11 defender. This is due to its implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation.
Zscaler observed a new campaign at the beginning of January 2023 targeting an unnamed government organization that utilized Havoc. The attack sequence begins with a ZIP archive that embeds a decoy document and a screen-saver file that downloads and launches the Havoc Demon agent on the infected host. Demon is the implant generated via the Havoc Framework and is analogous to the Beacon delivered via Cobalt Strike to achieve persistent access and distribute malicious payloads.
Havoc has a wide variety of features that make it difficult to detect, turning it into a lucrative tool in the hands of threat actors. Once deployed successfully on the target's machine, the server can execute various commands, which are logged and their responses encrypted and transmitted back to the C2 server.
Havoc has also been employed in connection with a fraudulent npm module dubbed subquery that triggers a three-stage process to retrieve the Demon implant. The package has since been taken down.
As the abuse of legitimate red team software continues to grow, cybersecurity vendors are pushing back against this trend. Havoc is just the latest example of how threat actors are adapting and evolving their tactics in response to security measures. Organizations must remain vigilant and ensure that their security protocols are up to date to protect against such threats.
Thank you for reading our blog today. We hope you found the information helpful and informative. If you enjoyed this blog, follow us on Twitter, Instagram, Linkedin, GitHub, Website, and Youtube for more exciting content and updates. If you have any questions or comments, please feel free to reach out to us. We would love to hear from you. Don't forget to share this with your friends and family who may also find this information useful. Thank you for your support and stay tuned for more!