Threat Research: New Framework Raising “Havoc” 

Introduction: What is Havoc? 

Havoc, a new open-source repository command-and-control (C2) framework, is being used by threat actors as an alternative to Cobalt Strike and Brute Ratel (post-exploitation command and control frameworks). C2 frameworks provide threat actors with the ability to drop beacons on breached networks for later movement and delivery of additional malicious payloads. Over the years, Cobalt Strike and Brute Ratel have become common tools for threat actors to deliver malicious payloads to unsuspecting victims. This has led C2 developers and organizations using Cobalt Strike and Brute Ratel to be more vigilant of potential malware hiding in their repositories. With the new Havoc repository, threat actors are provided with a new avenue to target and exploit networks.  

Havoc Framework Attack Pattern: 

The infection chain utilized by the threat actors for delivering the Havoc Demon Agent on the target machines is initiated through a ZIP Archive named “ZeroTwo.zip” that consists of two files; the downloader “character,scr” and an “Untitled Document.docx.” 

  • The downloader “character.scr” is a screen saver that executes the Havoc Demon Agent on the victim machine. It is compiled using a batch (BAT) to executable computer file (EXE) converter “BAT2EXE” that allows users to convert Batch scripts into executables. The binary then writes and executes the decrypted BAT script from a temporary (Temp) folder. 
  • The “Untitled Document.docx” contains information regarding the “ZeroTwo,” a fictional character in the Japanese anime television series Darling in the Franxx and conceals the actual execution and malicious activities performed by the final payload.  

The Shellcode Loader is dropped on the compromised system, which is signed using Microsoft’s digital certificate. It disables Event Tracing for Windows by patching the Windows API (WinApi) “EtwEventWrite()” and then the Advanced Encryption Standard (AES) decrypts the shellcode using CryptDecrypt(), which triggers the callback function to the C2 server from the victim’s machine. The shellcode is executed via CreateThreadpoolWait(), which creates an event object in a signaled state and writes the shellcode in the allocated memory. 

The KaynLdr shellcode automatically loads the Havoc Demon DLL without the Denial of Service (DOS) and New Technology (NT) headers to evade detection. It resolves virtual addresses of various Native APIs (NTAPIs) using a modified DJB2 hashing algorithm. The shellcode retrieves the image base of the Demon Dynamic Link Library (DLL), which is embedded in the shellcode itself. 

The Havoc Demon DLL parses configuration files and uses sleep obfuscation techniques. It communicates with the C2 server through check-in requests and command execution and performs indirect syscalls and return address stack spoofing. 

Havoc Demon then has four functions that can be executed: DemonInit, DemonMetaData, DemonConfig, and DemonRoutine. 

  • Demonlnit:  
  • Retrieves the virtual addresses of functions from modules such as ntdll.dll/kernel32.dll by calling the API Hashing Routine discussed previously. 
  • Retrieves Syscall stubs for various NTAPI’s. 
  • Loads various Modules via walking the Process Environment Block (PEB) with stacked strings. 
  • Initialize Session and Config Objects such as Demon AgentID, ProcessArch etc. 
  • DemonRoutine: 
  • First, it checks if it is connected to the C2 server. If not, it calls TransportInit() to connect to the server. 
  • If the connection is successful, it enters the CommandDispatcher() function, which is responsible for a task routine which parses the tasks and executes them until there are no more tasks in the queue. 
  • If the malware is unable to connect to the C2 server, it will keep trying to connect to the server again. 

Capabilities: 

The Havoc framework is an advanced post-exploitation command and control (C2) framework that enables attackers to remotely control and monitor their malware-infected systems. Havoc’s web-based management console allows attackers to perform various tasks on exploited devices, including executing commands, managing processes, manipulating Windows tokens, and executing shellcode. 

One of the most interesting capabilities of Havoc is its ability to bypass Microsoft Defender on up-to-date Windows 11 devices using advanced evasion techniques such as sleep obfuscation, return address stack spoofing, and indirect syscalls. This makes it easier for attackers to evade detection and bypass security measures. Havoc also provides attackers with the ability to generate different formats of malicious agents, including Windows Preinstallation Environment (PE) executable, PE DLL, and shellcode. This versatility enables attackers to tailor their attacks to specific targets and evade detection. 

Targeted Industry: 

Government 

Targeted Technology: 

Windows Endpoint OS 

Conclusion: The Importance of Digital Hygiene and Proper Cybersecurity Measures 

The Havoc C2 framework campaign provides another example of why digital hygiene and proper cybersecurity measures are so important. Threat actors will continue to use C2 frameworks to deploy various payloads and execute malicious commands on victims’ networks to gather sensitive information. Organizations should remain vigilant and take appropriate steps to protect themselves from these types of threats, including implementing strong cybersecurity measures, investing in employee training and awareness, and regularly updating their security protocols.  

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub. 

References: 

  1. https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace 
  1. https://www.bleepingcomputer.com/news/security/hackers-start-using-havoc-post-exploitation-framework-in-attacks/ 

You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden

Don’t Fear Risk. Manage It.


CRITICALSTART® and MOBILESOC® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: Cyber Operations Risk & Response™ platform, and Trusted Behavior Registry®. Any unauthorized use is expressly prohibited.