Hackers Using Havoc Post-Exploitation Framework In Attacks

Security researchers at Zscaler ThreatLabz observed threat actors using the open-source C2 framework known as Havoc in attack campaigns targeting government organizations.

The Havoc framework is an advanced post-exploitation command and control framework is an alternative to paid options such as Cobalt Strike and Brute Ratel and is capable of bypassing the most current and updated version of Windows 11 Defender due to the implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation.

Matt Mullins, Senior Security Researcher at Cybrary had this to say:

   “Command and Control (or C2) frameworks are nothing new to the threat actor community. For a long time, the FOSS (Free and Open-Source Software) community had a harder time keeping up with the features and functionality associated with premium paid tools like Cobalt Strike. This left learners, lower budget teams, and criminal groups with limited options around older frameworks like Empire, Metasploit, and some very basic custom tooling.

   “This all changed around 2018, when it seems that C2 frameworks simply exploded in options. There were a number of very sophisticated tools that reached a fair degree of maturity (such as Sliver, Mythic, etc.) while older frameworks were forked and revisited (such as BC-Security’s Empire fork) that gave a wonderful buffet of options to the aforementioned groups.

   “As with most things in the industry, as these options became available, so did the options being implemented in threat actor TTPs. Outside of these robust options being made available, paid tooling was beginning to be leaked. Cobalt Strike has had its source code leaked a number of times now, along with other paid tools being shared and cracked. Cracked software is nothing new but what is interesting is the specific shift of criminal groups to target cracking of red team software, as well as red teams for licenses.

   “With such a cornucopia of options available to criminals, the detections and patterns used to previously sink paid tools aren’t nearly as effective. Take for consideration Cobalt Strike, it was already a big waste of money even back in 2018 because nearly every IR team, EDR tool, or any other defensive capability under the sun, has detection ruling built for a majority of its offerings. This means that it was only useful to advanced red teamers, or criminals, because of the amount of customization needed to get it to work. This brings me back to the original point, why would anybody waste their money or time on Cobalt Strike when they can just download Havoc and it “works” off of the shelf and bypasses detections? Criminals now no longer need to hunt for licenses or crack software, while red teams don’t need to pay absurd prices for tools that they have to know how to use and customize.

   “The cat-and-mouse game of detection and innovation is about to accelerate in favor of the offensive side because of this blooming of C2s. Reflecting on the implementation of new tools like ChatGPT, along with other AI tools, and you now have more rapid generation of payloads, phishing emails, and other attacker-beneficial aspects. I can only surmise that we will see more breaches (and thus more potential undetected breaches) as a result of this increase in options and sophistication.”

The best thing about this for threat actors is thatit’s free! Which is bad for you and I.

Leave a Reply

%d bloggers like this: