Security News > 2023 > February > Hackers start using Havoc post-exploitation framework in attacks
Security researchers are seeing threat actors switching to a new and open-source command and control framework known as Havoc as an alternative to paid options such as Cobalt Strike and Brute Ratel.
Among its most interesting capabilities, Havoc is cross-platform and it bypasses Microsoft Defender on up-to-date Windows 11 devices using sleep obfuscation, return address stack spoofing, and indirect syscalls.
Like other exploitation kits, Havoc includes a wide variety of modules allowing pen testers to perform various tasks on exploited devices, including executing commands, managing processes, downloading additional payloads, manipulating Windows tokens, and executing shellcode.
"Demon.bin is a malicious agent with typical RAT functionalities that was generated using an open source, post-exploitation, command and control framework named Havoc," ReversingLabs threat researcher Lucija Valentić said.
While Cobalt Strike has become the most common tool used by various threat actors to drop "Beacons" on their victims' breached networks for later movement and delivery of additional malicious payloads, some of them have also recently begun looking for alternatives as defenders have gotten better at detecting and stopping their attacks.
In August 2022, Microsoft also noted that multiple threat actors, from state-sponsored groups to cybercrime gangs, are now using the Go-based Sliver C2 framework developed by researchers at cybersecurity firm BishopFox in their attacks as an alternative to Cobalt Strike.
News URL
Related news
- Russian hackers shift to cloud attacks, US and allies warn (source)
- Russian hackers hijack Ubiquiti routers to launch stealthy attacks (source)
- Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks (source)
- Hackers target FCC, crypto firms in advanced Okta phishing attacks (source)
- Hackers steal Windows NTLM authentication hashes in phishing attacks (source)
- Hackers impersonate U.S. government agencies in BEC attacks (source)
- Chinese State Hackers Target Tibetans with Supply Chain, Watering Hole Attacks (source)
- Hackers Exploiting Popular Document Publishing Sites for Phishing Attacks (source)
- Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others (source)
- US sanctions APT31 hackers behind critical infrastructure attacks (source)