Fake Tech Support Spam Deploys Customized Havoc C2 Across Organizations

Key Points:

• A new campaign has emerged where threat actors impersonate IT support to deliver the Havoc command-and-control (C2) framework, leading to potential data exfiltration or ransomware attacks.
• The intrusions affected five organizations, with attackers rapidly moving laterally across networks and deploying custom Havoc payloads alongside legitimate remote monitoring tools for persistence.
• Security teams should enhance email filtering, train employees on social engineering tactics, and monitor for unusual remote access requests to mitigate these threats.

Technical Details: The campaign employs social engineering via spam emails and phone calls, utilizing tools like AnyDesk for remote access and executing malicious DLLs to deploy the Havoc shellcode. Techniques such as control flow obfuscation are used to evade detection.

MITRE ATT&CK Techniques:

• T1566 - Phishing (Initial Access)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1203 - User Execution (Execution)
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys (Persistence)
• T1021.001 - Remote Services: Remote Desktop Protocol (Lateral Movement)

IOCs Mentioned: None mentioned