Threat hunters have recently uncovered a new cyberattack campaign where threat actors posed as fake IT support to distribute the Havoc command-and-control (C2) framework, potentially leading to data theft or ransomware attacks.
The attacks, first detected by Huntress across five partner organizations, involved the use of email spam as bait, followed by a phone call from a supposed IT helpdesk initiating a multi-layered malware delivery process.
According to researchers Michael Tigges, Anna Pham, and Bryan Masters, in one instance, the attackers swiftly compromised multiple endpoints within a span of eleven hours, deploying custom Havoc Demon payloads alongside legitimate Remote Monitoring and Management (RMM) tools to ensure persistence. This rapid lateral movement indicates a likely end goal of data exfiltration or ransomware deployment.
Interestingly, the tactics employed in this campaign mirror previous activities associated with the Black Basta ransomware group, despite the group’s recent silence following a leak of internal chat logs. This suggests that former affiliates may have transitioned to other ransomware operations or that rival threat actors have adopted similar strategies for social engineering and initial access acquisition.
The attack chain initiates with an email bombardment to overwhelm the target’s inbox, followed by impersonation of IT support personnel to trick victims into granting remote access to their systems. Subsequently, a fake Microsoft landing page hosted on Amazon Web Services is used to deceive victims into entering their email credentials to purportedly update Outlook’s anti-spam rules.
By enticing users to click on a button to “Update rules configuration,” a script is triggered to prompt users to enter their passwords, thereby enabling the threat actors to harvest credentials for unauthorized access.
The attackers further exploit the situation by encouraging victims to download a supposed anti-spam patch, which ultimately leads to the execution of a legitimate binary that sideloads a malicious DLL to execute the Havoc shellcode payload. To evade detection, the malicious DLL incorporates various obfuscation techniques and bypasses security software hooks.
Following successful deployment of the Havoc Demon, the threat actors establish persistent remote access by creating scheduled tasks to launch the payload upon system reboot. Additionally, legitimate RMM tools like Level RMM and XEOX are deployed on compromised hosts to diversify persistence mechanisms.
Key takeaways from these attacks include the willingness of threat actors to impersonate IT staff, the increasing prevalence of defense evasion techniques in cyberattacks, and the customization of commodity malware to evade detection. The speed and aggressiveness of these attacks, as well as the use of multiple persistence methods, underline the sophistication of modern adversaries in compromising networks.
In conclusion, the campaign serves as a prime example of how cyber adversaries employ a blend of social engineering, DLL sideloading, and diversified persistence mechanisms to orchestrate network compromises.
