Threat hunters have drawn attention to a new campaign as part of which bad actors have masqueraded as fake IT support to distribute the Havoc command-and-control (C2) framework as a precursor to a data intrusion or ransomware attack.
The breaches identified by Huntress last month at five partner organizations involved threat actors using email spam as a lure, followed by a phone call from an IT desk that activated a layered malware delivery pipeline.
Researchers Michael Tigges, Anna Pham, and Brian Masters said, “In one organization, the adversary went from initial access to nine additional endpoints over the course of eleven hours, deploying a mix of custom Havoc daemon payloads and legitimate RMM tools for persistence, with the speed of lateral movement strongly suggesting that the ultimate target was data exfiltration, ransomware, or both.”
It’s worth noting that the methodology is consistent with email bombing and Microsoft Teams phishing attacks carried out by threat actors linked to the Black Basta ransomware operation in the past. While the cybercrime group appears to have gone silent following the public leak of its internal chat logs last year, the continued presence of the group’s playbook suggests two possible scenarios.
One possibility is that former Black Bag associates have moved on to other ransomware operations and are using them to launch new attacks, or two, rival threat actors have adopted the same tactics to conduct social engineering and gain early access.
The attack chain begins with a spam campaign aimed at flooding a target’s inbox with junk email. In the next step, threat actors posing as IT support contact recipients and trick them into providing remote access to their machines, either through a quick support session or by installing a tool like AnyDesk to help troubleshoot the problem.
With access, the adversary wastes no time in launching a web browser and navigating to a fake landing page hosted on Amazon Web Services (AWS) that impersonates Microsoft and instructs the victim to enter their email address to access Outlook’s anti-spam rule update system and update the spam rules.
Clicking the “Update Rule Configuration” button on the fake page triggers the execution of a script that displays an overlay asking the user to enter their password.
“This mechanism serves two purposes: it allows the threat actor (TA) to obtain credentials that, when combined with the required email address, grant access to the control panel; at the same time, it adds a layer of authenticity to the interaction, assuring the user that the process is genuine,” Huntress said.
The attack also relies on downloading a purported anti-spam patch, which, in turn, leads to the execution of a legitimate binary named “ADNotificationManager.exe” (or “DLPUserAgent.exe” and “Werfault.exe”) to sideload a malicious DLL. The DLL implements payload defense evasion and executes the Havoc shellcode payload by spawning a thread containing the daemon agent.
At least one of the identified DLLs (“vcruntime140_1.dll”) contains control flow obfuscation, time-based delay loops, and additional tricks to hook ntdll.dll functions and bypass endpoint detection and response (EDR) solutions using techniques such as Hell’s Gate and Hello Gate to avoid detection by security software.
“Following the successful deployment of Havoc Demon on the beach, threat actors began lateral movement into the infested environment,” the researchers said. “Although early social engineering and malware delivery demonstrated some interesting techniques, subsequent hand movements on keyboards were comparatively straightforward.”
This involves creating a scheduled task to launch the Havoc daemon payload every time the infected endpoint is rebooted, providing persistent remote access to threat actors. That said, threat actors have been found deploying legitimate remote monitoring and management (RMM) tools like Level RMM and XEOX on some compromised hosts instead of Hawk, thus diversifying their persistence mechanisms.
Some key findings from these attacks are that threat actors are more than happy to impersonate IT staff and call personal phone numbers if it improves success rates, techniques like defense evasion that were once limited to attacks on large companies or state-sponsored campaigns are becoming increasingly common, and commodity malware has been adapted to bypass pattern-based signatures.
Also of note is the speed at which strikes proceed rapidly and aggressively from initial settlement to lateral movement, as well as the many methods used to maintain persistence.
Huntress concluded, “What starts as a phone call from ‘IT Support’ ends up with a fully instrumented network compromise – modified Havoc daemons are deployed on endpoints, legitimate RMM tools are reused as backup persistence.” “This campaign is a case study in how modern adversaries employ sophistication at every step: social engineering to get in the door, DLL sideloading to remain invisible, and diverse persistence to evade treatment.”
