Concrete signature match: Backdoor - Provides unauthorized remote access for 64-bit Windows platform, family Havoc
This threat is a backdoor component of the Havoc command-and-control (C2) framework, designed to give attackers persistent remote access and full control over the compromised system. The malware, identified by its 'demon.x64.dll' payload, uses advanced techniques for execution, persistence, and evasion, such as API hooking and abusing legitimate Windows tools like PowerShell and Scheduled Tasks.
Relevant strings associated with this threat: - demon.x64.dll (PEHSTR_EXT) - DllMain (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
86d1ba178ae4f79243051c3b4e7a9beea2395e9ef0c8e2af930e32a51ec83b3fImmediately isolate the affected host from the network to prevent lateral movement and C2 communication. Conduct a full forensic investigation to determine the initial access vector and scope of the breach. Reimage the system from a known-good source and reset all associated user and service account credentials, as the host is considered fully compromised.