This article analyzes a Havoc variant malware used in a sustained cyber intrusion targeting critical national infrastructure in the Middle East, detailing its deployment via a disguised remote injector mimicking conhost.exe. The Havoc framework’s modular design enables attackers to remotely control compromised Windows systems through a range of commands and in-memory execution techniques. #Havoc #RemoteAccessTrojan #conhost.exe
Keypoints
- The Havoc malware variant is deployed on Windows systems by injecting an encrypted payload into a newly created cmd.exe process using a fake conhost.exe remote injector controlled by the Task Scheduler.
- The remote injector decrypts the Havoc payload from conhost.dll and uses Windows APIs to inject and execute it within the target process.
- The Havoc framework supports communication with its Command and Control (C2) server via HTTP, HTTPS, and SMB, with the malware registering the compromised host on the C2 server by sending AES-encrypted system metadata.
- Havoc provides an extensive set of control commands, sub-commands, and supports in-memory execution of Beacon Object Files (BOFs) to extend its capabilities on compromised systems.
- The modular architecture of Havoc allows attackers to perform tasks such as file management, process enumeration, user account manipulation, network configuration, and credential dumping.
- The FortiGuard security services detect and block Havoc-related malware and network traffic using signatures and blocking C2 domain DNS requests to protect customers.
- The C2 server domain identified in this campaign is apps[.]gist[.]githubapp[.]net and relevant malware sample hashes include those of conhost.exe and conhost.dll files.
MITRE Techniques
- [T1055] Process Injection – The remote injector uses ZwAllocateVirtualMemory(), ZwWriteVirtualMemory(), and ZwCreateThreadEx() APIs to inject and execute Havoc payload into a newly created cmd.exe process (‘inject the decrypted shellcode and Havoc executable into the process’).
- [T1071.001] Application Layer Protocol – Havoc malware communicates with its C2 server using HTTP and HTTPS protocols for command and control (‘Havoc supports HTTP, HTTPS, and SMB protocols to transport commands and results’).
- [T1106] Native API – Havoc’s remote injector uses native Windows APIs CreateProcessA(), ZwAllocateVirtualMemory(), ZwWriteVirtualMemory(), and ZwCreateThreadEx() to create processes and inject payloads (‘remote injector calls CreateProcessA() to create cmd.exe process’).
- [T1027] Obfuscated Files or Information – Havoc payload is encrypted inside conhost.dll and decrypted at runtime before injection (‘decrypts a Havoc payload…using a piece of shellcode embedded in the conhost.dll’).
- [T1033] System Owner/User Discovery – The Havoc demon collects system metadata such as hostname, username, domain, IP address for reporting to its C2 server (‘metadata includes Host name, User name, Domain, IP address’).
- [T1083] File and Directory Discovery – Havoc’s commands include directory listing, file management, and filesystem enumeration features (‘COMMAND_FS with subcommands like DEMON_COMMAND_FS_DIR, DEMON_COMMAND_FS_MKDIR’).
- [T1059] Command and Scripting Interpreter – Havoc supports execution of various shell and PowerShell commands on compromised systems (‘powerpick executes unmanaged powershell commands; shell executes Windows cmd.exe commands’).
- [T1113] Screen Capture – Havoc includes commands to take screenshots on the compromised system (‘COMMAND_SCREENSHOT’).
- [T1185] Man-in-the-Middle – Havoc uses Beacon Object Files (BOFs) to execute in-memory shellcode that extends functionality without updating the main demon process (‘in-memory execution of object files’).
Indicators of Compromise
- [Domain] Command and Control server domain – apps.gist.githubapp.net
- [File Hash] Remote injector executable conhost.exe – SHA-256: 22BD09FBAB54963D4B0234585D33571A47A2DF569DBAB8B40988415AB0A3C37B
- [File Hash] Encrypted Havoc DLL conhost.dll – SHA-256: 9208034AF160357C99B45564FF54570B1510BAF3BC033999AE4281482617FF5B