Wreaking havoc in cyberspace: threat actors experiment with pentest tools

Tags

External References

• https://bi-zone.medium.com/
• https://otx.alienvault.com/

Description

Recent research reveals adversaries increasingly using the Havoc post-exploitation framework to bypass cybersecurity systems. Two campaigns utilizing this framework were analyzed. The first campaign involved phishing emails with malicious archives containing ISO files and LNK files, which downloaded and executed a loader disguised as OneDriveUpdater. The loader contained a Demon implant from the Havoc framework. The second campaign used a phishing email with a link to a webpage containing an encoded malicious payload, which also deployed a Demon implant. Both campaigns aimed to evade detection by using lesser-known tools and frameworks. The research highlights the ongoing trend of adversaries seeking alternatives to traditional malware and exploiting phishing emails as a primary attack vector.

Date