LevelBlue SpiderLabs analyzed a Brazilian NF-e-themed lure that disguises a ZIP attachment and MSI installer to deliver a Havoc stager which then downloads the demon at runtime. The campaign overlaps with other delivery fronts and shares builder traits across multiple stager variants, while using persistence via UserInitMprLogonScript and HTTP traffic that mimics Microsoft Delivery Optimization. #Havoc #NF-e #UserInitMprLogonScript #Microsoft-Delivery-Optimization
Keypoints
- Invoice-shaped ZIP attachments imitate Brazil’s Nota Fiscal eletrônica workflow to trick recipients during tax season.
- The lure archive contains a short VBScript and MSI instead of the PDF and signed XML expected in a legitimate NF-e package.
- The MSI pretends to be Microsoft Endpoint DLP, but it is unsigned and was built with WiX Toolset.
- The attacker’s DLL, endpointdlp.dll, is only a stager; it fetches Havoc demon code over the network instead of storing the implant on disk.
- Nine stager variants share strong builder similarities, including the same core exports, wrapper imports, and Microsoft-themed spoofing.
- Persistence is achieved by writing HKCUEnvironmentUserInitMprLogonScript so mpextms.exe runs again at logon.
- The same stager family also appears in other delivery fronts, including Malaysia-hosted update.zip campaigns and KongTuke-related reporting.
MITRE Techniques
- [T1566.002 ] Phishing: Spearphishing Link – Used invoice-shaped email delivery to lure victims into opening a malicious ZIP attachment (‘spoofed invoice mail easier to open without hesitation’).
- [T1059.005 ] Command and Scripting Interpreter: Visual Basic – A 503-byte VBS launcher hides its intent and runs commands to fetch and execute the MSI (‘the VBS launches a hidden cmd’).
- [T1140 ] Deobfuscate/Decode Files or Information – The VBS uses string splitting to conceal the download URL and execution steps (‘The VBS hides its intent behind string splitting’).
- [T1218.007 ] System Binary Proxy Execution: Msiexec – The dropper runs the MSI silently through a trusted Windows utility (‘runs it with msiexec /quiet /norestart’).
- [T1574.002 ] Hijack Execution Flow: DLL Side-Loading – The signed mpextms.exe loads the malicious endpointdlp.dll alongside it (‘The signed mpextms.exe starts, loads endpointdlp.dll again’).
- [T1036.001 ] Masquerading: Invalid Code Signature – The attacker abuses Microsoft-style branding while the key malicious component remains unsigned (‘The stager DLL is not [signed]’).
- [T1036.005 ] Masquerading: Match Legitimate Name or Location – Files and metadata imitate Microsoft Defender Endpoint DLP and Microsoft Corporation to appear legitimate (‘fake labels in its version info’).
- [T1037.001 ] Boot or Logon Initialization Scripts: Logon Script (Windows) – The stager sets a logon-script registry value for persistence (‘HKCUEnvironmentUserInitMprLogonScript = ‘).
- [T1071.001 ] Application Layer Protocol: Web Protocols – The stager and demon communicate over HTTP(S) using GET and POST requests (‘it issued GET /stage/… and then POST /api/v2/telemetry/diag’).
- [T1105 ] Ingress Tool Transfer – The Havoc demon is downloaded from the C2 server after the stager handshake (‘the demon arrived over the wire’).
- [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – Havoc uses encrypted C2 traffic and encoded/packed runtime behavior (‘A fresh AES key is negotiated at first contact’).
Indicators of Compromise
- [Archive / lure file names] malicious invoice lure and alternate update package – NFE-43250902055205000108550010000269881023835318-1.zip, update.zip
- [Script / installer file names] payload components inside the archive – 503-byte VBS, update.msi, endpointdlp.dll, mpextms.exe
- [URLs] delivery and staging infrastructure – hxxps://storage[.]googleapis[.]com/nodesdownload/update.msi, hxxps://tr[.]ee/lAZ5yi
- [URLs] alternate campaign delivery – hxxps://e4wxbrg5277[.]com/dl/update.zip?tk=, hxxps://49xb5hoiqsr[.]com/dl/update.zip?tk=, hxxps://jh038x18gy9[.]com/dl/update.zip?tk=
- [URLs / paths] stager and demon network activity – GET /stage/, POST /api/v2/telemetry/diag, /api/v1/telemetry
- [IP addresses] C2 and staging endpoints – 194[.]59[.]31[.]192:8443, 143[.]198[.]183[.]46, 194[.]62[.]55[.]81:80
- [Registry key] persistence location – HKCUEnvironmentUserInitMprLogonScript
- [Mutex] stager synchronization object – Global{7f3a9c2e-4b1d-8e5f-a6d0-3c9b2e1f7a4d}
- [Hashes] identified samples and cluster items – 7d4fb94f6b4623690daea67ed52e97705cb102f443988ff605f2a9c4898244dc, 07d0d4c580ac76ac3ffb63353c9b6b85, and 2 more hashes
- [Domains] infrastructure linked to delivery and telemetry – thomphon[.]com, e4wxbrg5277[.]com, 49xb5hoiqsr[.]com, jh038x18gy9[.]com