Researchers identified a fresh attack on a government entity, during which the attackers employed a novel C2 framework dubbed Havoc. In spite of the widespread availability of C2 frameworks, Havoc stands out as an advanced post-exploitation framework that can elude the latest version of Windows 11 Defender.
Diving into details
Researchers at Zscaler noted that Havoc is open-source and is becoming an alternative to its paid counterparts Cobalt Strike and Brute Ratel.
The cross-platform framework leverages sleep obfuscation, indirect syscalls, and return address stack spoofing.
Havoc is an advanced post-exploitation C2 framework that can bypass even the most updated version of Windows 11 Defender.
Furthermore, it is challenging to detect because it uses several sophisticated evasion techniques.
It allows its operators to execute commands, manage payloads, manipulate Windows tokens, execute shellcode, and download extra payloads, among other tasks.
A shellcode loader deactivates the Event Tracing for Windows (ETW), on compromised systems, and loads the Havoc payload without DOS and NT headers, all in an effort to avoid detection.
Additional info
An unknown threat group dropped Havoc on an undisclosed government organization in January.
Additionally, a recent report has uncovered that the framework was distributed through a harmful npm package (Aabquerys), which imitated a legitimate module by typosquatting.
The bottom line
Threat actors are constantly and diligently evolving their TTPs and the use of different C2 frameworks is one of those. Therefore, researchers recommend implementing proactive cybersecurity solutions, including leveraging a threat intel platform, that comes pre-Loaded with premium intelligence feeds and enrichment sources.