Threat hunters have noted a new campaign in which bad actors pose as fake IT support to deliver a Havoc command-and-control (C2) framework as a prelude to data mining or ransomware attacks.
The intrusion, identified by Huntress last month at five partner organizations, involved threat actors using email spam as traps, followed by a call from the IT desk that opens a malware delivery pipeline.
“In one organization, the adversary went from initial access to nine additional locations within eleven hours, using a mix of custom Havoc Demon payloads and legitimate RMM persistence tools, at a combined speed of movement that strongly suggests the end goal was data exfiltration, ransomware, or both,” said researchers Michael Tigges, and Bryan Phan Master.
It is worth noting that the modus operandi is consistent with email bombings and Microsoft Teams phishing attacks organized by threat actors linked to the Black Basta ransomware operation in the past. Although the cybercrime group appears to be quiet following the public leak of its internal discussions last year, the continued existence of the group’s playbook suggests two possible scenarios.
Another possibility is that former members of Black Basta have moved on to other ransomware activities and used them for new attacks, or two rival threat actors have used the same strategy to carry out social engineering and gain initial access.
The chain of attacks begins with a spam campaign that aims to overwhelm the target’s inbox with unwanted emails. In the next step, malicious actors, posing as IT support, contact the recipients and trick them into providing remote access to their devices either through a Quick Help session or by installing tools like AnyDesk to help fix the problem.
With access available, the adversary wastes no time launching a web browser and navigating to a fake landing page hosted on Amazon Web Services (AWS) posing as Microsoft and instructing the victim to enter their email address to access the Outlook anti-spam rules update program and update the spam rules.
Clicking the button to “Update rule configuration” on the fake page triggers the execution of a script that displays an overlay asking the user to enter their password.
“This device serves two purposes: it allows the threat actor (TA) to harvest information, which, when combined with the required email address, provides access to the control panel; at the same time, it adds a layer of authenticity to the interaction, convincing the user that the process is authentic,” said Huntress.
The attack also relies on downloading an anti-spam patch, which in turn leads to the use of a legitimate binary called “ADNotificationManager.exe” (or “DLPUserAgent.exe” and “Werfault.exe”) to sideload a malicious DLL. The DLL payload exploits protection avoidance and exploits the Havoc shellcode payload by revealing a thread containing the Daemon agent.
At least one of the identified DLLs (“vcruntime140_1.dll”) includes additional tricks to avoid detection by security software using control flow obfuscation, time-based delay loops, and methods such as Hell’s Gate and Halo Gate to link ntdll.dll functions and bypass endpoint detection and solutions (EDR).
“After the successful deployment of the Havoc Demon to the beachhead host, the threat actors began to move around the target area,” the researchers said. “While early social engineering and malware delivery showed interesting techniques, the hands-on-keyboard work that followed was relatively straightforward.”
This includes creating scheduled tasks to launch Havoc Demon payloads every time infected endpoints are restarted, providing threat actors with continuous remote access. That said, the threat actor was found to be using legitimate monitoring and management (RMM) tools such as Level RMM and XEOX on some vulnerable hosts instead of Havoc, thus differentiating their persistence methods.
Another important takeaway from these attacks is that threat actors are more than happy to pose as IT workers and call personal phone numbers if it improves the success rate, techniques such as bypassing previously limited defenses against attacks by large firms or government-sponsored campaigns are becoming more common, and malware is being customized to bypass pattern-based signatures.
Also of note is the speed with which the attack progresses rapidly and vigorously from initial preparation to lateral movement, and the many methods used to maintain persistence.
“What starts as a call from ‘IT support’ ends in a full-blown network compromise – modified Havoc Demons used in all environments, legitimate RMM tools repurposed as backup persistence,” Huntress concluded. “This campaign is an example of how modern adversaries put complexity at every level: social engineering to get in the door, DLL sideloading to remain invisible, and various persistence to survive the fix.”
