FOCUS MODE
EXTRACT IOC
Threat Research

Targeted Campaign Delivering Havoc | dmpdump

admin
On January 15, 2025, a malicious LNK file was discovered that executes a PowerShell script to download harmful DLL files. The attack leverages DLL hijacking techniques to execute a final payload associated with the Havoc framework. Recent activities suggest the campaign may be targeting regions such as Bangladesh and Pakistan, using deceptive tactics involving fraudulent transactions. Affected: Windows, Bangladesh, Pakistan, China

Keypoints :

  • Malicious LNK file (DH-Report76.pdf.lnk) uploaded to VirusTotal on January 15, 2025.
  • LNK file sourced from army-mil[.]zapto.org.
  • Utilizes PowerShell to download additional payloads from army-mil.b-cdn[.]net.
  • PowerShell script downloads an encrypted payload (onelog.dll) and a loader DLL (sppc.dll).
  • The legitimate file phoneactivate.exe is renamed to “word.exe” for malicious execution.
  • The LNK file creates a shortcut in Windows Startup for persistence.
  • sppc.dll utilizes DLL hijacking techniques, loading malicious content through phoneactivate.exe.
  • The payload (demon.x64.dll) is part of the Havoc framework for further malicious actions.
  • Threat actor activity may target Bangladesh, Pakistan, and China, linked to fraudulent transaction schemes.
  • Indicators of compromise (IOCs) related to recent findings shared on social media platforms.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Uses PowerShell to download files via HTTP/S.
  • T1218.010 – Signed Binary Proxy Execution: Executes phoneactivate.exe after malicious renaming.
  • T1399 – Container Administration: Uses DLL hijacking techniques through sppc.dll to execute payloads.
  • T1059.001 – Cross-Site Scripting: Uses PowerShell scripts to execute commands that undermine system security.
  • T1041 – Exfiltration Over Command and Control Channel: The use of the Havoc framework for C2 communications.

Indicator of Compromise :

  • [URL] army-mil[.]zapto.org
  • [URL] army-mil.b-cdn[.]net/onelog.dll
  • [URL] army-mil.b-cdn[.]net/sppc.dll
  • [SHA-256] 7498a07f903486473cce83fbf16b88009765af98326e1ebef4c48f103b874f65
  • [SHA-256] 90f43a20a956b5d2e7b73cd3c2a6896a3af032414a297a23d0f07ef2f1016b17

Full Story: https://dmpdump.github.io/posts/Havoc

Tags: PERSISTENCE, CHINA, EXFILTRATION, PROXY, SOCIAL MEDIA, WINDOWS, PAYLOAD