Havoc (Trojans) – Malware

Overview

In the ever-evolving landscape of cybersecurity, new and increasingly sophisticated threats emerge regularly, challenging even the most robust security systems. One of the latest and most concerning threats is the Havoc malware, a powerful and versatile command-and-control (C2) framework that has recently been identified in targeted campaigns. Unlike typical malware, Havoc is an open-source framework designed to bypass advanced security mechanisms, such as Windows Defender, by utilizing cutting-edge evasion techniques. With its ability to stealthily infiltrate and control compromised systems, Havoc has become a notable tool in the arsenal of threat actors, enabling them to execute complex post-exploitation activities without detection.

The Havoc framework stands out due to its use of advanced techniques like indirect syscalls, sleep obfuscation, and reflective loading of malicious code. These features make it particularly effective at evading traditional security measures. As the threat actor gains control over the victim’s system, they can deploy payloads that allow for extensive surveillance, data exfiltration, and further exploitation. The framework’s ability to dynamically adjust to different environments and security postures makes it an extremely dangerous tool in the hands of cybercriminals. Its open-source nature also means that the framework can be adapted and used by a wide range of threat actors, potentially increasing its impact and frequency of use.

Targets

Information

Individuals

How they operate

Infection Chain and Payload Delivery

The infection chain of Havoc begins with a carefully crafted attack vector, typically delivered via phishing emails or exploit kits that target known vulnerabilities in software. Once the victim interacts with a malicious attachment, such as a ZIP file or a weaponized document, the malware is deployed in the form of a downloader. For example, in one observed campaign, the Havoc malware was distributed through a ZIP archive containing a malicious .scr (screen saver) file and a seemingly innocuous .docx document. The .scr file acts as the downloader, designed to fetch and execute the final payload from a remote server.

The downloader is often compiled using tools like BAT2EXE, which converts Batch scripts into executable files to avoid detection by traditional security measures. Once the downloader is executed, it decrypts and loads the final payload—a Havoc Demon DLL—from a remote server. The payload is carefully crafted to execute in memory without leaving traces on disk, further increasing its stealth capabilities.

Payload Execution and Evasion Techniques

After the final payload is delivered, Havoc employs a variety of evasion techniques to ensure that the malware operates undetected. One of the most notable evasion tactics is the use of sleep obfuscation. This technique forces the malware to execute at random intervals, making it harder for security tools to detect its presence through regular scanning. The malware also uses indirect syscalls to interact with the operating system’s kernel, bypassing common security defenses that rely on identifying direct system calls from the malicious payload.

Another key evasion technique used by Havoc is API hashing. To resolve the virtual addresses of various NTAPI functions, the malware uses a modified DJB2 hashing algorithm, which adds another layer of obfuscation. This makes it difficult for traditional signature-based antivirus systems to detect the malware, as the API addresses are constantly changing due to the hashing process.

Additionally, Havoc reflects its Demon DLL into memory without standard DOS and NT headers, a technique known as Reflective Code Injection. This prevents the malware from being flagged by security tools that look for the usual headers of executable files. The Demon DLL then parses configuration files, performs various in-memory operations, and establishes communication with the C2 server to receive further commands.

C2 Communication and Command Execution

Havoc’s primary purpose is to establish and maintain control over compromised systems. It does this by setting up a covert communication channel with the attacker’s C2 server. The malware sends a CheckIn Request to the C2 server, signaling the successful infection of the system. Once the connection is established, the malware is ready to receive further commands, including the execution of arbitrary payloads.

The C2 server communicates with the infected system using encrypted channels to avoid detection by network monitoring tools. Upon receiving instructions, the malware can execute a variety of tasks, such as data exfiltration, credential harvesting, or deploying additional malware. Havoc is also capable of lateral movement, using the compromised machine to escalate privileges and spread across the network to other systems within the target environment.

Post-Exploitation and Persistence

One of the most concerning aspects of Havoc is its ability to maintain persistence within an environment. Once inside, the malware can modify system configurations, disable security features like Event Tracing for Windows (ETW), and install backdoors to ensure continued access. Through techniques like Return Address Stack Spoofing, Havoc can manipulate system memory to maintain a foothold in the target system, even if the initial payload is discovered and removed.

The malware also employs indirect syscalls, which involve making system calls via functions that indirectly invoke kernel operations, further complicating detection. This makes Havoc particularly difficult to identify and remove, even when advanced security measures are in place.

Conclusion

Havoc malware is a highly advanced and evasive threat capable of evading detection, maintaining persistence, and performing a wide range of post-exploitation activities. From its initial infection via social engineering tactics to its stealthy execution using reflective code injection and indirect syscalls, Havoc poses a significant threat to organizations, especially those in critical sectors like government and defense. Understanding its technical operation is essential for building effective defense mechanisms, as traditional security tools may struggle to detect or mitigate this highly obfuscated and adaptable malware.

MITRE Tactics and Techniques

Initial Access (TA0001):

Havoc malware often relies on phishing or exploiting vulnerable applications to gain initial access to the victim’s network. In the observed campaigns, the malware is delivered via malicious documents, such as a ZIP archive with an executable downloader.

Execution (TA0002):

Havoc leverages custom shellcode loaders, such as the KaynLdr shellcode, which reflectively loads the main payload without using standard headers, thus avoiding detection. This technique is a form of Reflective Code Injection (T1053) to execute the malicious code in memory.

Persistence (TA0003):

The malware ensures persistence by dropping a variety of payloads and configuration files on the target system. It also may make modifications to system settings to avoid detection, such as disabling Event Tracing for Windows (ETW) for better evasion.

Privilege Escalation (TA0004):

Havoc often leverages indirect system calls (T1203) and various other techniques to escalate privileges or maintain elevated access on compromised systems.

Defense Evasion (TA0005):

The malware employs a range of evasion techniques to bypass security defenses, including Sleep Obfuscation (T1499), indirect syscalls, and Return Address Stack Spoofing (T1055) to avoid detection by security products like Windows Defender.

Credential Access (TA0006):

Although not always observed in every campaign, Havoc can facilitate credential harvesting via keylogging or stealing credentials to further compromise systems.

Discovery (TA0007):

Once inside a network, the malware may use various discovery techniques to map the network and identify valuable targets. This includes querying system and network configurations, which can then inform the attacker about the best way to exploit the environment.

Lateral Movement (TA0008):

Using the compromised credentials and network knowledge, Havoc can facilitate Lateral Movement (T1021), spreading across the network to other systems and further compromising them.

Exfiltration (TA0010):

The malware may exfiltrate sensitive data or monitor user activities. Communication with the C2 server often includes the exfiltration of critical files, which are then sent to the attacker’s infrastructure.

Impact (TA0040):

Havoc can be used for Impact (T1486), including data destruction, file encryption (ransomware), or other actions designed to disrupt operations or damage the target organization’s reputation.

References

• Havoc Across the Cyberspace