Security researchers from the FortiGuard Incident Response Team (FGIR) have uncovered a sophisticated exploitation of the Windows Task Scheduler to ensure malware persistence and enable advanced remote access capabilities.
The attackers leveraged the Task Scheduler to deploy a variant of the Havoc post-exploitation framework, a powerful open-source command and control (C2) tool, by disguising their payload as legitimate Windows processes.
Technical Analysis of the Attack Chain
The attack began with the installation of a remote injector masquerading as conhost.exe (Console Window Host), a legitimate Windows component responsible for command-line interface management since Windows 7.
The malicious injector was configured to execute via the Task Scheduler, using a command line that specified both a malicious DLL (conhost.dll) and the target process (cmd.exe).
The DLL contained an encrypted Havoc payload, which was decrypted and injected into a newly spawned cmd.exe process using standard Windows API calls such as CreateProcessA(), ZwAllocateVirtualMemory(), and ZwWriteVirtualMemory().
The decryption routine extracted the key and initialization vector (IV) from the first 30h bytes of the DLL, allowing the shellcode and the Havoc agent (referred to as the “demon”) to be loaded directly into memory.
The injector then created a remote thread within the cmd.exe process, executing the shellcode and activating the Havoc backdoor without writing any files to disk, thereby evading many traditional detection mechanisms.
Havoc Framework
Havoc, originally developed as an open-source post-exploitation toolkit, is written in C++, Go, and other languages, and provides a modular architecture for remote administration and lateral movement.
Once deployed, the Havoc demon establishes encrypted communication with its C2 server hardcoded in this case as apps[.]gist[.]githubapp[.]net using AES encryption to protect metadata and command traffic.
The demon collects comprehensive system information, including host and user names, domain, IP address, process details, and OS version, which it transmits to the C2 server for registration and ongoing management.
The command and control protocol supports a wide array of operations, such as process and file system manipulation, registry operations, network enumeration, privilege escalation, credential dumping, and in-memory execution of additional payloads via Beacon Object Files (BOFs).
The framework’s modularity allows attackers to extend its functionality dynamically, making detection and mitigation particularly challenging.
The abuse of Windows Task Scheduler for persistent malware deployment underscores the need for heightened monitoring of scheduled tasks and process creation events, especially those involving system binaries like conhost.exe and cmd.exe.
The use of in-memory injection and encrypted C2 communications further complicates detection, necessitating behavioral analysis and memory forensics in addition to signature-based approaches.
Fortinet has updated its security services to detect and block this threat, with specific antivirus signatures and web filtering rules targeting both the injector and the Havoc payload.
Organizations are encouraged to maintain up-to-date endpoint protection, monitor for anomalous task scheduler entries, and review network traffic for suspicious outbound connections to known malicious domains.
Indicators of Compromise (IOCs)
| Type | Value | Description |
|---|---|---|
| C2 Server | apps[.]gist[.]githubapp[.]net | Hardcoded C2 domain used by Havoc demon |
| SHA-256 Hash | 22BD09FBAB54963D4B0234585D33571A47A2DF569DBAB8B40988415AB0A3C37B | conhost.exe / remote injector |
| SHA-256 Hash | 9208034AF160357C99B45564FF54570B1510BAF3BC033999AE4281482617FF5B | conhost.dll / encrypted Havoc sample |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
