Threat hunters are cautioned as part of a new campaign in which malicious actors pose as fake IT support and offer the Havoc command and control (C2) framework as a precursor to data theft and ransomware attacks.
The intrusion, which Huntress identified last month across five partner organizations, involved the attacker using email spam as a bait, followed by a phone call from the IT desk, triggering a tiered malware delivery pipeline.
“At one organization, the attackers moved from initial access to nine additional endpoints over an 11-hour period, deploying a combination of a custom Havoc Demon payload and legitimate RMM tools for persistence,” said researchers Michael Tigges, Anna Pham, and Bryan Masters. “The speed of lateral movement strongly suggested that the end goal was data exfiltration, ransomware, or both.”
It’s worth noting that this technique is consistent with past email bombing and Microsoft Teams phishing attacks orchestrated by threat actors associated with the Black Basta ransomware operation. Although the cybercriminal group appears to have remained silent after internal chat logs were publicly leaked last year, the continued existence of the group’s strategy suggests two possible scenarios.
One possibility is that former Black Basta affiliates have moved on to other ransomware operations and are using it to launch new attacks. Another possibility is that rival threat actors employed the same strategy to conduct social engineering and gain initial access.
The attack chain begins with a spam campaign aimed at overwhelming the target’s inbox with junk email. The next step is for an attacker posing as IT support to contact the recipient and trick the recipient into allowing remote access to the machine, either through a Quick Assist session or by installing a tool such as AnyDesk to help remediate the issue.
Once access is established, the attacker wastes no time in launching a web browser and navigating to a fake landing page hosted on Amazon Web Services (AWS). The page impersonates Microsoft and instructs victims to enter their email address to access Outlook’s anti-spam rules update system and update their spam rules.
Clicking the “Update Rule Settings” button on the fake page triggers the execution of a script that displays an overlay asking the user to enter a password.
“This mechanism serves two purposes: it allows a threat actor (TA) to collect credentials, which, when combined with the required email address, provides access to the control panel. At the same time, it adds a layer of authenticity to the interaction, convincing the user that the process is genuine,” Huntress said.
The attack also relies on downloading a purported anti-spam patch, which runs a legitimate binary named “ADNotificationManager.exe” (or “DLPUserAgent.exe” and “Werfault.exe”) and sideloads a malicious DLL. The DLL payload implements defense evasion and executes the Havoc shellcode payload by spawning a thread containing a Demon agent.
At least one of the identified DLLs (‘vcruntime140_1.dll’) incorporates additional tricks to evade detection by security software using techniques such as control flow obfuscation, timing-based delay loops, and Hell’s Gate and Halo’s Gate to hook the ntdll.dll function to bypass endpoint detection and response (EDR) solutions.
“After successfully deploying the Havoc daemon to the beachhead host, the attacker began moving laterally throughout the victim’s environment,” the researchers said. “While the initial social engineering and malware delivery demonstrated some interesting techniques, subsequent hands-on activities at the keyboard were relatively straightforward.”
This involves creating a scheduled task that launches the Havoc Demon payload every time an infected endpoint is restarted, providing persistent remote access to threat actors. That said, threat actors have been found to be deploying legitimate remote monitoring and management (RMM) tools such as Level RMM and XEOX on some compromised hosts in place of Havoc, diversifying their persistence mechanisms.
The key takeaways from these attacks are that attackers are willing to impersonate IT staff and call personal phone numbers if it improves their success rates, that techniques such as defense evasion that were once limited to large corporations and state-sponsored campaigns are becoming increasingly common, and that commodity malware is customized to bypass pattern-based signatures.
Also noteworthy is the speed with which the attack progresses quickly and aggressively, from initial compromises to lateral movements, and the numerous methods used to maintain persistence.
“It begins with a call from ‘IT support’ and ends with a fully orchestrated network compromise, including a modified Havoc Demon deployed across endpoints, and a legitimate RMM tool reused as backup persistence,” Huntress concluded. “This campaign is a case study in how modern attackers are becoming more sophisticated at every step: social engineering to get in the door, DLL sideloading to remain invisible, and diverse persistence to survive remediation.”
Source link
