A victim in the banking industry was recently targeted by threat actors abusing the open source ‘Havoc’ framework. Attackers are using Havoc instead of tools like Cobalt Strike to avoid detection and deliver malicious payloads. Cybersixgill observed members of a popular underground forum discussing the use of Havoc in malicious operations and referencing the tool to promote a malware product.
An as-yet unidentified entity in the banking sector recently became the target of a supply chain attack leveraging open source software, according to security researchers1 who investigated the incident. To gain access, the attackers2 reportedly targeted components of the unnamed victims’ web assets, using the NPM3 platform to upload malicious scripts. Researchers also connected the attackers to a LinkedIn page of a purported bank employee, which appeared to be a phony profile designed to give the perpetrator an air of legitimacy.
The attacker's script determined whether the victim used Windows, MacOS, or Linux operating systems, decoding the NPM packages’ encrypted files and downloading a malicious binary onto the victim’s infrastructure. The attackers then used Azure CDN4 subdomains that included the victims’ names to (1) deliver malicious payloads, and (2) bypass security features, which do not flag legitimate services such as Azure.
At this stage of the attack chain, threat actors used a red team tool called Havoc5 as a sophisticated post-exploitation framework. Cybercriminals abuse such tools to escalate privileges, lurk on victims’ devices, deploy malware, and control systems and networks for extended periods of time. Post-exploitation tools such as Havoc are essential because they permit attackers to maintain a foothold in compromised environments and carry out substantive stages of attack chains, while avoiding detection.
In the recent banking sector attack, researchers reported that attackers used Havoc to evade security products like Windows Defender. Threat actors are increasingly opting to abuse Havoc, rather than other legitimate penetration testing tools, such as Cobalt Strike6, Brute Ratel7, and Sliver8, because of Havoc’s ability to bypass the most current version of Windows 11 Defender with advanced evasion techniques. While all of the above products are designed to simulate adversarial attack scenarios, threat actors continue to exploit them in actual breaches, to identify security gaps and overcome defenses.
In addition to abusing legitimate tools like Havoc, threat actors also develop post-exploitation-framework-as-a-service9 tools specifically designed for attacks. Such tools not only launch ransomware and encrypts files, they can also establish reverse shells10 with elevated privileges, upload/download files, log keystrokes, and provide real-time access to compromised systems via virtual network computing (VNC) sessions. In addition, some of these tools extract authentication tokens, persist after system reboots, facilitate lateral movement, view running processes, and generate cryptographic file hashes.
Cybersixgill’s advanced collection mechanisms observed threat actors advertising malware that leverages the Havoc framework, including the post below from a popular Russian-language cybercrime forum. The post describes the advertised malware as a “100% FUD (fully undetectable) Payload Pack/Crypt Service11.”
Cybercriminals use such tools to encrypt or pack malicious payloads, to evade detection by antivirus programs, and to make malware less detectable by security products. The advertiser claimed the malware can help deliver any payload and specifically claimed that Havoc was used to test all payloads. The product’s developer even offered to provide guidance to purchasers regarding the quality of malicious payloads. If the malware performs as advertised, the product could provide threat actors with a major advantage during attacks, helping them avoid detection and maintain persistence on victims’ environments.
While the advertiser appears primarily interested in its flagship product, the threat actor offered a variety of other services as well. These include phishing-related services, initial access12 , and “any other kind of chaos.” The advertiser also offered specific advice about delivering payloads, advising another forum member to “try putting a decoy in a zip (like a .LNK payload).”
Based on the advertiser’s activity on the forum, the malware’s operators are highly active on the underground and possess an understanding of the challenges faced by threat actors attempting to launch cyber attacks. The post also illustrates the importance among threat actors of the Havoc framework, which is presented as the gold standard for testing payloads.
Figure 1: Havoc-like malware advertised on a Russian cybercrime forum
In addition to the ad above, Cybersixgill also observed forum members discussing the relative merits of various post-exploitation tools, including Havoc, Sliver, and Cobalt Strike. In the post below (Figure 2), a threat actor sought opinions from experienced black hat hackers and APTs about Cobalt Strike or “their new favorite tool in 2023.” Cobalt Strike, Havoc, and Sliver appeared to be the most popular tools mentioned in the post.
Setting aside these threat actors’ personal preferences, the post illustrates the extent to which cybercriminals abuse legitimate tools in their attack chains. While monitoring malware and vulnerabilities is essential, posts such as the forum activity in this report indicate that organizations must also understand the threat posed by ostensibly legitimate tools, such as Havoc.
Figure 2: Forum members debate Cobalt Strike and Havoc
Threat actors are constantly on the lookout for new techniques and hacking tools to help them attack victim networks. For cybercriminals, public enemy number one remains their victims’ security defense mechanisms, which makes tools such as Havoc so attractive to them.
Ultimately, threat actors seek to remain fully undetected after intrusion. While some attackers prefer to exploit victims’ local infrastructure during malicious operations, others prefer to use tools initially designed for security professionals, such as Havoc. As a result, such red team tools remain popular topics on cybercrime forums, where threat actors discuss their abuse. To avoid becoming victims of attacks that leverage tools such as Havoc, Sliver, and Cobalt Strike, organizations must protect their systems and implement security best practices. These measures involve training employees about the dangers of clicking on links or attachments from suspicious emails, which can lead to the installation of malicious components.
1 Open source software is built with publicly available source code and allows anyone to view, modify, and distribute it without licensing restrictions, which is designed to encourage collaboration, transparency, and innovation.
2 The name and origin of the threat actors were not reported.
4 Azure Content Delivery Network (CDN) subdomains are used to deliver content to users by caching it in Edge servers located around the world. The subdomain typically appends “.azureedge.net” to the CDN endpoint name.
5 Havoc is an open source post-exploitation command-and-control (C2) framework used for penetration testing, red teaming, and blue teaming. undetectable) Payload Pack/Crypt Service.”
6 Cobalt Strike is a penetration testing tool widely used by security professionals and cybercriminals alike.
7 Brute Ratel simulates attacks and is designed to evade popular Endpoint Detection and Response (EDR) products.
8 Sliver is a cross-platform open-source toolkit designed for security testing that has been abused by threat actors as an alternative to Cobalt Strike.
9 Post-exploitation-framework-as-a-service (PEFaaS) is similar to the ransomware-as-a-service (RaaS) business model, distributing malicious components in the same way that legitimate software developers sell SaaS products.
10 A shell is a user interface for access to operating system services. A reverse shell is a remote shell, where the connection is made from the system that offers the services to the client that wants to use these services. Attackers can also use web shells instead of reverse shells.
11 Packers/crypters change the payload’s wrapper, making it less visible to security products and increasing its resilience.
12 Initial access is often sold by brokers (IABs) on the dark web, who offer remote access to compromised organizations’ systems, which attackers use for network intrusions.