Wreaking havoc in cyberspace: threat actors experiment with pentest tools

Oct. 9, 2024, 8:35 a.m.

Tags
loader
phishing
havoc
2024-10-08
demon
havoc framework
cybersecurity evasion
demon implant
post-exploitation
External References
Description

Recent research reveals adversaries increasingly using the Havoc post-exploitation framework to bypass cybersecurity systems. Two campaigns utilizing this framework were analyzed. The first campaign involved phishing emails with malicious archives containing ISO files and LNK files, which downloaded and executed a loader disguised as OneDriveUpdater. The loader contained a Demon implant from the Havoc framework. The second campaign used a phishing email with a link to a webpage containing an encoded malicious payload, which also deployed a Demon implant. Both campaigns aimed to evade detection by using lesser-known tools and frameworks. The research highlights the ongoing trend of adversaries seeking alternatives to traditional malware and exploiting phishing emails as a primary attack vector.

Date

Published: Oct. 8, 2024, 4:51 p.m.

Created: Oct. 8, 2024, 4:51 p.m.

Modified: Oct. 9, 2024, 8:35 a.m.

Attack Patterns

Demon

Havoc

T1059.003

T1547.001

T1573

T1055

T1134

T1036

T1204

T1140

T1132

T1027

T1566