Security News > 2023 > February > Hackers start using Havoc post-exploitation framework in attacks
Security researchers are seeing threat actors switching to a new and open-source command and control framework known as Havoc as an alternative to paid options such as Cobalt Strike and Brute Ratel.
Among its most interesting capabilities, Havoc is cross-platform and it bypasses Microsoft Defender on up-to-date Windows 11 devices using sleep obfuscation, return address stack spoofing, and indirect syscalls.
Like other exploitation kits, Havoc includes a wide variety of modules allowing pen testers to perform various tasks on exploited devices, including executing commands, managing processes, downloading additional payloads, manipulating Windows tokens, and executing shellcode.
"Demon.bin is a malicious agent with typical RAT functionalities that was generated using an open source, post-exploitation, command and control framework named Havoc," ReversingLabs threat researcher Lucija Valentić said.
While Cobalt Strike has become the most common tool used by various threat actors to drop "Beacons" on their victims' breached networks for later movement and delivery of additional malicious payloads, some of them have also recently begun looking for alternatives as defenders have gotten better at detecting and stopping their attacks.
In August 2022, Microsoft also noted that multiple threat actors, from state-sponsored groups to cybercrime gangs, are now using the Go-based Sliver C2 framework developed by researchers at cybersecurity firm BishopFox in their attacks as an alternative to Cobalt Strike.
News URL
Related news
- Hackers increasingly use Winos4.0 post-exploitation kit in attacks (source)
- Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack' (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- CISA confirms critical Cleo bug exploitation in ransomware attacks (source)