Recent research reveals adversaries increasingly using the Havoc post-exploitation framework to bypass cybersecurity systems. Two campaigns utilizing this framework were analyzed. The first campaign involved phishing emails with malicious archives containing ISO files and LNK files, which downloaded and executed a loader disguised as OneDriveUpdater. The loader contained a Demon implant from the Havoc framework. The second campaign used a phishing email with a link to a webpage containing an encoded malicious payload, which also deployed a Demon implant. Both campaigns aimed to evade detection by using lesser-known tools and frameworks. The research highlights the ongoing trend of adversaries seeking alternatives to traditional malware and exploiting phishing emails as a primary attack vector. Author: AlienVault
Related Tags:
demon implant
cybersecurity evasion
Demon
T1547.001
havoc
T1059.003
Havoc framework
T1132
T1573
Associated Indicators:
88F83A7394C61B0E05432572CCBBACD1878DAD0602C5459F98F46C265E63D8C7
07AE355EBFAFE21D81592B765053C48CF4A079D71B359B6A4D7F412B1DFB6374
AC301B7698AC040F219EB8DFB248595A406B075D91F51116EF60D4DD9F5242AD
7C2F59D9790B816CB6F27A796D7C928046519F7429B7D2BBE53C60A7A55E22A7
189802CC7A8F5B8D260DA48398835C9926B489FE0C1074E32DCF1FB3BAD2E569
7E3928A7F3300AEDF261DB5596CB7F2F6AAC115240B010E25A3D53DECDE38FD0
14A8C1F7DD2EC5AC1FAA8050ACBB2FCDF7B8AC8C
7388F62E8DA9CDBCAC4F5BC6B0DC41FF8F0056A9
BB92E0CA7EDA4B866AF872A4552E4DF42BB28ABA