Security News > 2023 > February > Hackers start using Havoc post-exploitation framework in attacks

Security researchers are seeing threat actors switching to a new and open-source command and control framework known as Havoc as an alternative to paid options such as Cobalt Strike and Brute Ratel.

Among its most interesting capabilities, Havoc is cross-platform and it bypasses Microsoft Defender on up-to-date Windows 11 devices using sleep obfuscation, return address stack spoofing, and indirect syscalls.

Like other exploitation kits, Havoc includes a wide variety of modules allowing pen testers to perform various tasks on exploited devices, including executing commands, managing processes, downloading additional payloads, manipulating Windows tokens, and executing shellcode.

"Demon.bin is a malicious agent with typical RAT functionalities that was generated using an open source, post-exploitation, command and control framework named Havoc," ReversingLabs threat researcher Lucija Valentić said.

While Cobalt Strike has become the most common tool used by various threat actors to drop "Beacons" on their victims' breached networks for later movement and delivery of additional malicious payloads, some of them have also recently begun looking for alternatives as defenders have gotten better at detecting and stopping their attacks.

In August 2022, Microsoft also noted that multiple threat actors, from state-sponsored groups to cybercrime gangs, are now using the Go-based Sliver C2 framework developed by researchers at cybersecurity firm BishopFox in their attacks as an alternative to Cobalt Strike.

News URL

https://www.bleepingcomputer.com/news/security/hackers-start-using-havoc-post-exploitation-framework-in-attacks/