Hackers favor uncommon pentest tools over malware

By opting for lesser known tools, adversaries increase their chances of staying invisible in a compromised IT infrastructure

October 8, 2024

In recent months, criminals have stepped up their use of the Havoc framework. Employed less frequently than similar tools, Havoc is harder to detect with corporate security solutions.

Our data shows that 12% of all cyberattacks involve tools originally developed for penetration testing. While red team and pentest tools have been abused since the mid‑2010s, threat actors now tend to substitute popular solutions with unrenowned ones.

A notable illustration of the trend is Havoc, an open‑source post‑exploitation framework. Initially, this kit was designed to allow pentesters to access to the target system and establish control over it.

Since July, we have detected several campaigns where adversaries leveraged the lesser known framework Havoc to gain remote access to their victims’ computers. Havoc’s capabilities are quite similar to those of other frameworks. This tool is not as popular as others and therefore is more difficult to detect with security solutions. This is its key advantage for criminals. The campaigns most likely aimed at espionage in which case the threat actors seek to stay unnoticed in the corporate infrastructure for as long as possible.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

The adversaries used phishing to deliver the framework’s malicious payload. In one of the campaigns, the victims received emails with what looked like medical documents. Attached was an archive with an LNK file. By double‑clicking the shortcut the user downloaded a decoy document containing an outpatient medical record. This also initiated the installation of a loader that embedded Havoc’s agent into the victim’s device. After that, the adversaries gained access to the compromised system and were able to remotely execute commands and download additional files.

In the other campaign, the attackers sent out phishing emails on behalf of a law enforcement agency. The recipient was notified of being a suspect in a serious crime and was requested to submit certain documents. To download a list of these documents, the victim was instructed to follow the link in the message body. Just like in the previous campaign, opening the link resulted in the installation of the adversaries’ loader and agent.

With its relatively low cost, broad coverage, and high effectiveness, phishing remains one of the most popular ways for adversaries to get initial access to target systems. To protect corporate mail from phishing messages, companies can use email filtering services, such as BI.ZONE CESP. This solution eliminates unwanted emails without slowing down the delivery of legitimate correspondence.

Dedicated portals such as BI.ZONE Threat Intelligence, help to build robust defenses against attacks, including those using rare and hard‑to‑detect tools. The threat landscape data from such portals serves to ensure the effective operation of security solutions, accelerate incident response, and protect from the most critical threats to the company.