New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

Havoc Post Exploitation Framework Observed in the Wild

An uptick in Cobalt Strike and Brute Ratel alternatives has been seen circulating by researchers, the most significant of all is known as Havoc. Havoc adopts an open-source C2 framework, allowing for it to be unpaid and easier to access by threat actors. The authors behind Havoc have designed it to be able to bypass Windows Defender, even on updated machines, by sleep obfuscation, return address stack spoofing, and indirect syscalls. Some instances of Havoc being leveraged in the wild have already been observed by the research teams at Zscaler ThreatLabz and ReversingLabs. Like other exploitation kits, Havoc includes a wide variety of modules allowing pen testers (and hackers) to perform various tasks on exploited devices, including executing commands, managing processes, downloading additional payloads, manipulating Windows tokens, and executing shellcode.

Analyst Notes

Here are some recommendations on how to defend against Havoc:

Keep software up to date: As with Cobalt Strike, keeping your software up to date is essential in defending against Havoc. This includes both operating systems and software applications.

Use strong authentication: Implement strong authentication methods to prevent unauthorized access to your systems, and use unique and strong passwords for all accounts.

Monitor network traffic: Monitor your network traffic for any unusual activity, such as unexpected connections or data exfiltration attempts. Consider using intrusion detection and prevention systems, as well as security information and event management (SIEM) tools, to help identify and respond to potential threats.

Implement network segmentation and access controls: Use network segmentation and access controls to limit the ability of attackers to move laterally within your network.

Educate employees: Educate your employees on how to identify and respond to potential phishing emails or other social engineering techniques that attackers may use to deliver Havoc payloads.

Implement file integrity monitoring: Implement file integrity monitoring to detect any changes to critical system files or configuration settings, which could indicate that an attacker has gained access to your systems.

Conduct regular vulnerability assessments and penetration testing: Regularly assess your systems for vulnerabilities and conduct penetration testing to identify and address any weaknesses that could be exploited by attackers, including the use of Havoc.

Use endpoint protection tools: Use endpoint protection tools such as antivirus and anti-malware software to help detect and prevent Havoc payloads from executing on your systems.

IOCs include:

Havoc CnC:
IP: 146[.]190[.]48[.]229
Domain: ttwweatterarartgea[.]ga

Hashes:
Pics.exe – 5be4e5115cdf225871a66899b7bc5861
Image.exe – bfa5f1d8df27248d840d1d86121f2169

https://www.bleepingcomputer.com/news/security/hackers-start-using-havoc-post-exploitation-framework-in-attacks/