Growing Cyber Threats: Fake IT Support and the Havoc C2 Framework

Emerging Threats in Cybersecurity

Recent investigations by threat hunters have unveiled a concerning trend: cybercriminals masquerading as IT support personnel to execute their malicious plans. This tactic serves as a precursor to deploying the Havoc command-and-control (C2) framework, often leading to serious data breaches or ransomware attacks.

The Attack Methodology

Huntress security researchers identified these attacks last month across five different partner organizations. The attackers initiated their schemes through email spam, luring victims into a false sense of security followed by a deceptive phone call from supposed IT staff. This two-pronged approach effectively activates a layered malware delivery pipeline, placing victims at high risk.

In one notable case, adversaries achieved access to multiple endpoints within just eleven hours, deploying a blend of custom Havoc Demon payloads alongside legitimate remote management tools. The rapid lateral movement indicated the likely intent of data exfiltration or executing ransomware, as highlighted by researchers Michael Tigges, Anna Pham, and Bryan Masters.

Connection to Previous Ransomware Operations

The tactics used in this campaign bear similarities to email bombing and phish attacks conducted by the notorious Black Basta ransomware group. Though this group has been relatively quiet since the leak of its internal communications last year, similarities in attack patterns suggest a possibility of either: a) former Black Basta associates shifting to new ransomware operations or b) competing threat actors adopting similar strategies for social engineering to gain initial access.

Step-by-Step Breakdown of the Attack

The attack typically begins with a spam email barrage designed to overwhelm a target’s inbox. Once the victims are sufficiently distracted, the attackers impersonate IT support and secure remote access to their machines. This can be achieved via Quick Assist sessions or by prompting victims to install remote support applications like AnyDesk.

After gaining access, threat actors swiftly navigate to a counterfeit landing page hosted on Amazon Web Services. This page imitates Microsoft and instructs victims to enter their email addresses for a fictitious “anti-spam rules update.” A click on the “Update rules configuration” button triggers a script that prompts the user for their password, serving a dual purpose: collecting credentials and bolstering the façade of legitimacy.

How the Attack Evolves

Following credential harvesting, attackers deploy a series of seemingly innocuous binary files (e.g., ADNotificationManager.exe), which sideload malicious DLLs intended to evade detection. One specific DLL (vcruntime140_1.dll) employs techniques like control flow obfuscation and timing-based delays to outsmart security systems. The goal here is to activate Havoc shellcode and ultimately gain persistent control over infected machines.

Once the Havoc payload is executed, the threat actors engage in lateral movement across the compromised network. Their strategy includes creating scheduled tasks to ensure the Havoc Demon launches every time the infected systems reboot. In some instances, legitimate remote monitoring tools like Level RMM and XEOX are used to enhance their control mechanisms.

Key Insights and Future Considerations

This campaign offers several crucial insights into modern cyber threats. Notably, adversaries are increasingly willing to impersonate IT personnel, employing aggressive tactics that blur the lines between fraud and genuine support. Techniques previously reserved for state-sponsored attacks or large corporations are now being utilized against a broader range of targets.

The speed with which these attacks escalate—from initial contact to full-scale network compromise—is particularly alarming. Furthermore, the various methods used for persistence highlight the adaptability of these cybercriminals.

According to Huntress, the process begins with a seemingly innocent phone call. However, it quickly escalates into a complex network breach, where modified Havoc Demons and legitimate tools are used interchangeably to sustain control.

As cyber threats continue to evolve, constant vigilance and adaptive security measures will be essential in mitigating risks associated with such sophisticated attacks.