A report from Zscaler ThreatLabz researchers reveals a new C2 framework called Havoc – which is being increasingly used by threat actors in their operations.
Being an open-source alternative to regular tools like Cobalt Strike and Brute Ratel, Havoc is a cross-platform framework that comes embedded with Demon RAT – letting the threat actor perform even more malicious operations. Also, it’s got an intuitive web-based interface and better detection techniques than other similar tools.
An Open-Source C2 Framework
In a recent move against an unnamed government organization, the researchers at the Zscaler ThreatLabz found a new command-and-control (C2) framework being used by it’s threat actors – called Havoc – that has better features than the current mainstream C2 frameworks.
Being an open-source software, Havoc is seen as a better alternative to Cobalt Strike and Brute Ratel for many reasons. It’s a cross-platform framework that can bypass Microsoft Defender on up-to-date Windows 11 devices – with techniques like sleep obfuscation, return address stack spoofing, and indirect syscalls.
And with a simple web interface to track all the compromised devices, Havoc contains various tools to let hackers perform more malicious operations. Some of these include executing commands, shellcode, managing processes, downloading additional payloads and manipulating the Windows tokens.
This was initially deployed through a shellcode loader on the compromised systems – that will automatically disable the Event Tracing for Windows (ETW) – making it undetectable by the regular security solutions. Also, it’s noted to be distributed as a legitimate npm package (Aabquerys) by the typosquatting technique.
And when installed, threat actors can also leverage a Remote Access Trojan cooked in, called the Demon, aside from having the inbuilt tools for building other malicious agents in the form of Windows PE executable, PE DLL and shellcode.
Other Trending News:- News
