Security News > 2023 > February > Cry Havoc and let slip dogs of war ... there's an upgraded malware server in town

ReversingLabs wrote about Havoc earlier this month in connection with a malicious npm package called Aabquerys, noting that it was created by a malware developer called C5pider.

Now researchers with Zscaler's ThreatLabz threat intelligence unit say Havoc is being used in a campaign targeting a government organization.

"While C2 frameworks are prolific, the open-source Havoc framework is an advanced post-exploitation command and control framework capable of bypassing the most current and updated version of Windows 11 Defender," the ThreatLabz researchers wrote in a report this week.

The eventual goal of the code is to deliver the Havoc Demon payload. ReversingLabs's report described Havoc Demon as malware with remote access trojan capabilities, generated by the Havoc framework.

According to ThreatLabz, Havoc Demon's shellcode loader disables the Event Tracing for Windows feature used to trace and log events - a move to evade detection - and decrypts and executes the shellcode through Microsoft's CreateThreadpoolWait function.

The attackers also use the image of "Zero Two" - a character in a Japanese anime TV series - to hide the execution and activities of the Havoc Demon payload going on in the background.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/02/17/havoc_c2_framework_threatlabz/