Dissecting a Malicious Havoc Sample
Summary:
Fortinet researchers have published a detailed analysis of a Havoc post-exploitation framework variant deployed during a long-term intrusion targeting critical national infrastructure (CNI) in the Middle East. The attacker used a disguised instance of conhost[.]exe, launched via the Windows Task Scheduler, as a remote injector. This injector decrypted an embedded payload within conhost[.]dll and injected it into a newly created executable process using low-level Windows APIs. This process established the Havoc “demon” on the victim system to enable persistent C2 communication. The Havoc framework, originally developed by C5pider and released in 2022, is a modular and open-source remote access trojan written in languages including C++, Go, Python, and Assembly. It supports multiple protocols (HTTP, HTTPS, SMB) for C2 traffic and features robust encryption using AES with keys and IVs extracted from the initial DLL payload. Upon execution, the demon collects system metadata—such as host name, user name, process details, OS architecture, and network configuration, and transmits it to the C2 server via a demon-init packet structured with specific offsets and identifiers.
Security Officer Comments:
Fortinet observed that the attacker-controlled C2 server was unreachable during analysis, prompting the setup of a simulated environment. The Havoc demon regularly sends heartbeat packets and can execute a wide variety of C2 instructions, ranging from simple file system operations to Kerberos ticket abuse and in-memory execution of Beacon Object Files (BOFs). BOFs allow for dynamic extension of Havoc’s capabilities without writing to disk, improving stealth. Havoc supports an extensive command set including process and user enumeration, credential dumping (nanodump), service creation and control, registry manipulation, scheduled task enumeration, screenshot capture, and token impersonation. Many commands are further divided into sub-commands for granular control.
Suggested Corrections:
Link(s):
https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sample
Fortinet researchers have published a detailed analysis of a Havoc post-exploitation framework variant deployed during a long-term intrusion targeting critical national infrastructure (CNI) in the Middle East. The attacker used a disguised instance of conhost[.]exe, launched via the Windows Task Scheduler, as a remote injector. This injector decrypted an embedded payload within conhost[.]dll and injected it into a newly created executable process using low-level Windows APIs. This process established the Havoc “demon” on the victim system to enable persistent C2 communication. The Havoc framework, originally developed by C5pider and released in 2022, is a modular and open-source remote access trojan written in languages including C++, Go, Python, and Assembly. It supports multiple protocols (HTTP, HTTPS, SMB) for C2 traffic and features robust encryption using AES with keys and IVs extracted from the initial DLL payload. Upon execution, the demon collects system metadata—such as host name, user name, process details, OS architecture, and network configuration, and transmits it to the C2 server via a demon-init packet structured with specific offsets and identifiers.
Security Officer Comments:
Fortinet observed that the attacker-controlled C2 server was unreachable during analysis, prompting the setup of a simulated environment. The Havoc demon regularly sends heartbeat packets and can execute a wide variety of C2 instructions, ranging from simple file system operations to Kerberos ticket abuse and in-memory execution of Beacon Object Files (BOFs). BOFs allow for dynamic extension of Havoc’s capabilities without writing to disk, improving stealth. Havoc supports an extensive command set including process and user enumeration, credential dumping (nanodump), service creation and control, registry manipulation, scheduled task enumeration, screenshot capture, and token impersonation. Many commands are further divided into sub-commands for granular control.
Suggested Corrections:
- Restrict Task Scheduler abuse: Monitor and limit the creation of new scheduled tasks, particularly those launching unsigned or uncommon processes using suspicious parameters.
- Detect anomalous process activity: Use behavioral monitoring to flag instances of critical system processes being created by unexpected parent processes or launched with unusual command-line arguments.
- Block known command and control infrastructure: Prevent outbound traffic to suspicious domains and monitor for connections to unfamiliar IP addresses over HTTP, HTTPS, or SMB protocols.
- Deploy advanced memory protection: Use security solutions capable of detecting in-memory code injection and execution to identify attempts to bypass traditional detection methods.
- Control DLL loading behavior: Enforce DLL whitelisting and restrict the loading of unsigned or non-standard libraries, particularly in environments supporting critical infrastructure or high-value assets.
Link(s):
https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sample