'What begins as a phone call from 'IT support' ends with a fully instrumented network compromise': This fake tech support scam tricks employees into infecting their own company devices
Summary
Cyber attackers are employing tactics such as browser crashes and impersonating IT staff to trick employees into installing Havoc malware. This alarming trend poses significant risks to corporate systems, highlighting the need for enhanced cybersecurity measures.
Key Insights
What is Havoc malware?
Havoc is an open-source post-exploitation command and control (C2) framework that enables attackers to remotely control compromised systems, perform credential theft, lateral movement across networks, data exfiltration, and ransomware preparation. It supports capabilities like file downloads/uploads, system discovery, and persistence through custom payloads and legitimate tools.
How does the fake tech support scam deliver Havoc malware?
Attackers send email spam lures followed by fake IT support calls, tricking employees into handling browser crashes or downloading fake anti-spam patches. This leads to DLL sideloading via legitimate binaries like ADNotificationManager.exe, executing Havoc shellcode for persistence through scheduled tasks and RMM tools.
Sources:
[1]