Havoc C2 framework weaponized in new tech support scam

Nearly half a dozen organizations have been targeted with the Havoc command-and-control framework for subsequent data theft or ransomware compromise in a new IT support scam campaign, reports The Hacker News.

Intrusions commence with email bombing, a tactic previously observed in the Black Basta ransomware gang, followed by a phone call from a fake IT service desk, which then lures targets into allowing machine access, findings from a Huntress analysis showed. Allowing access via Quick Assist or AnyDesk prompts the attacker to navigate to a bogus AWS-hosted Microsoft landing page that seeks to obtain credentials and downloads a DLL that runs the Havoc shellcode.

Such a campaign, which was observed to have compromised multiple organizational endpoints within 11 hours, "is a case study in how modern adversaries layer sophistication at every stage: social engineering to get in the door, DLL sideloading to stay invisible, and diversified persistence to survive remediation," said Huntress.