Prelude: Crypto Heist Causes HAVOC

Key Findings

• Kroll researchers discovered two new pieces of malware, a backdoor and a loader named “PRELUDE” and “DELPHYS,” respectively.
• These malwares led to deployment of Havoc C2’s agent, “Demon,” while investigating a large-scale cryptocurrency theft.
• Havoc C2 is an open-source, post-exploitation command and control framework.
• Once Demon is installed and running on the system, threat actors have access to a wide set of features, giving them the access they need to accomplish their theft.
• The highly targeted campaign was initiated via social engineering over direct contact on the X platform from a single user.

Overview

During the investigation of a large-scale cryptocurrency theft, with total losses significantly exceeding USD 1 million spread across multiple currencies, Kroll researchers discovered two new pieces of malware. These pieces of malware ultimately led to deployment of Havoc C2’s agent, “Demon.”

Havoc C2 is an open-source, post-exploitation command and control framework whose agent, Demon, includes features such as indirect system calls and AMSI/ETW patching. The source code for Havoc C2 is available on GitHub. Once Demon is installed and running on the system, the threat actor has access to a wide set of features, including screenshots, file systems, data exfiltration, process manipulation and ability to extend with PowerShell, operating system commands and dotnet assemblies, giving them all the access they need over the victim machine to realize their theft.

The highly targeted campaign was initiated via social engineering over direct contact on the X platform from a single user. The actor then directed the interaction to a Discord server, where other individuals took part in the social engineering conversations.

Kroll believes the threat actor was targeting individuals of high net worth in the cryptocurrency space. The targeting could be due to these individuals being easier targets for theft than organizations, due to the frequent lack of permitter and advanced host-based protections. The actor being able to directly target individuals via tools such as X and Discord may also have played a part in the targeting decision.

During the investigation, Kroll found two pieces of malware we believe had not been previously documented, a backdoor and a loader we named “PRELUDE” and “DELPHYS,” respectively.

Because new or open-source malware was used and C2 infrastructure appears to have been created specifically for the campaign, attribution to a known actor is not possible. It is also possible that a new actor is responsible; as such, Kroll is tracking this activity under a new entity, KTA440.

Initial Installer

The initially executed file is a signed.msi file over 700 megabytes in size. MSI files are a Windows installer package file. This is a flexible file type that is typically used to bundle files for installation or updates. When an.msi package is executed, msiexec.exe unpacks the bundled files and potentially executes one or more of the child files. At the time of execution and initial analysis, the file signature was valid. A valid signature and large file size allow the execution to potentially bypass typical initial endpoint security checks, as many tools have file size limits, and Authenticode signing assists to confirm the integrity of the installer. The signature information is below:

Figure 1 – Valid digital signature

Signing took place on January 30, 2025, and the signature is considered valid between the dates of September 12, 2024, through September 12, 2025, unless revoked.

Within this installer, there are several different files bundled together, some of which appear to be duplicates, and some are not observed by Kroll to be executed by the installer upon installation. This may be to pad the size of the binary beyond limits for many tools, though it is possible the threat actor could have found a use for the files. The parent folder that the installer was created from is named “VcSQL Dashboard,” and the resulting package is named “setupdashboard.msi.”

Below are the executable files that are dropped when executed by msiexec.exe:

Figure 2 – List of enclosed files

While some of the files, such as dbmysql.exe, will be elaborated on further, observed execution of the installer will be described first. DashboardClient.exe is a .Net binary that portrays a fake installation screen, appearing as below:

Figure 3 – False install screen

This installation appears to hang or fail; however, the status bar operates based on a timer as well as a sequence of several fake installation steps, to give the installer the appearance of authenticity. The progress bar itself is based on a timer and displays these installation statuses:

Figure 4 – Progress bar sequence

While there are not many strings of note within the binary, DashboardClient.exe did contain a Chinese character string, which translates to “Are you out of your mind?”

Figure 5 – Chinese character string

While dbmysql.exe and oleview.exe are further described within this write-up, two batch files are also executed to establish scheduled tasks for persistence for the PRELUDE backdoor as well as the DELPHYS loader, which is used to execute a HAVOC C2 Demon.

The first of these, “if_bat_file.bat,” creates a scheduled task to execute oleview.exe every two minutes with the highest possible privileges. The task is named “Msdblq,” with the description “Msdblql Reference Telemetry.” This allows for the PRELUDE backdoor to be executed repeatedly via Dynamic Link Library (DLL) sideloading with the highest authority available to the executing account. This batch file is presented below, though it should be noted that the comments within the code are not provided by Kroll analysis; the sample is presented as found. Following this task creation, the binaries used for sideloading are copied to the %TEMP% directory from the current directory. The task name and description appear to attempt to hide the malicious binary as well as its communication under the guise of database telemetry.

Figure 6 – oleviewer.exe persistence batch file

The second of these, “rif_bat_file.bat,” creates a scheduled task to execute the DELPHYS loader every two minutes with the highest possible privileges. The task is named “Msqdbl” and is similarly given a description of “Msqdbl Reference Telemetry.” This allows for the DELPHYS backdoor to be executed repeatedly via DLL sideloading with the highest authority available to the executing account. This batch file is also presented below, and the comments within the code are provided to us by the threat actors, not via Kroll analysis.

There are no further actions following task creation, and the task name as well as its description appear to attempt to disguise the behavior of the malicious binary similarly to the first sample.

Figure 7 – DELPHYS persistence batch file

PRELUDE Backdoor

PRELUDE is a .NET-based backdoor likely written in C#. It is the first of the two malwares executed and runs via DLL sideloading. The malware makes use of a recent version of oleviewer.exe, a Microsoft signed binary from the Windows SDK that is susceptible to sideloading of the iviewers.dll file. A renamed copy of the original DLL is supplied alongside the malicious version for function proxying so that oleviewer.exe performs normally and does not alert the victim.
The use of oleviewer.exe for sideloading has been seen previously with a campaign attributed to a China-Nexus group. Kroll Threat Intelligence researched and tested various versions of oleviewer.exe from different Windows SDKs, including a Windows 8.1 SDK and the latest Windows 11 SDK; all versions tested were susceptible to sideloading.

As a.NET, this sample was the easier of the two malwares to analyze. The entry function for the malicious DLL calls three suspicious functions before setting up handles to itself and a copy of the legitimate DLL for proxying function calls.

Figure 8 – Source code of the main function of malicious DLL, with function calls and pointer to original DLL

Each of the three suspicious functions starts a thread calling its own function.

Figure 9 – The three main malicious threads of PRELUDE backdoor

StartActMethod()

This the first function executed, and it creates a thread that runs WindowsProperties.QuerySelectors().

Figure 10 – WindowsProperties.QuerySelectors() with decrypted values in comments added by Kroll

Once the two encrypted strings are decrypted (via XOR), it becomes clear that the function manipulates the Windows Defender exclusion list by adding the location of this program to it. Due to the nature of the executable being used in the sideloading, the malware is less lightly to be flagged as malicious by antivirus software. Since both PRELUDE and DELPHYS share the same directory, this setting protects both malwares. Hence the name PRELUDE, taken from Sergei Rachmaninoff’s “Prelude in C Sharp Minor” because the malware is written in C# and is the first executed in order to prep the system for later stages.

StartTestMethod()

This function creates a thread to run the function “TestMethod24.”

Figure 11 – TestMethod24() source code

TestMethod24() opens a Transmission Control Protocol (TCP) socket to a domain on port 443. It then launches cmd.exe and redirects StandardOutput, StandardError and StandardInput between the TCP object and cmd.exe process object. As such, this a classic TCP reverse shell, which was validated from packet capture in a simulated network environment.

Figure 12 – Data from packet capture showing remote shell traffic

StartScreenMethod()

This function creates a thread to run the function “ScreenMethod,” which in turn calls a method Watch.SaveScreenshot.

Figure 13 – StartScreenMethod() source code

Figure 14 – SaveScreenshot() source code

The function Watch.SaveScreenshot performs a screen capture of the Windows desktop and encodes the result as a string inside a dictionary object, which it passes to the SendErrorLog function alongside a variable containing a hardcoded URL resource.

Figure 15 – SendErrorLog() source code

Finally, the SendErrorLog function takes the screenshot, wraps it in a POST request and sends it to the C2 server over an HTTP. In short, StartScreenMethod() captures screenshots and sends them to the C2 server. This functionality was also validated via extracting an image payload from the package capture during a simulated network dynamic test.

Figure 16 – Screenshot taken by malware during dynamic analysis, extracted from the network packet capture

PRELUDE Summary

PRELUDE is a simple backdoor that provides a reverse shell and the ability to take screenshots. It also sets the stage for the following malware by modifying the Windows Defender exclusion lists.

DELPHYS Loader

DELPHYS is a 64-bit Delphi loader distributed in EXE form. A 64-bit Delphi is not well supported in common reverse engineering tools. While DELPHYS does not display a graphical user interface (GUI), it was created as a GUI application, meaning the compiler included a large amount of effectively redundant code that would normally be used for rendering and behaving as a GUI application. This extra code makes it harder to find the comparatively small amount of malicious code that lies within.

Initial Identification

Doing an initial “strings” on the binary indicated that we were dealing with a higher-level language due to the amount of class names that were easily visible. This combined with the amount of those class names that began with the letter “T,” meant that the higher-level language was likely to be Delphi. This theory was easily tested by looking for the string with “Delphi,” which provided us with the Delphi compiler version: 29.0, indicating this sample was compiled with Delphi XE8 from 2015.

Figure 17 – Screenshot showing “T” classes and other indicative Delphi strings

Payload Extraction Routine

When looking at the sample in a static analysis tool, we found some code that the tool had not automatically detected as a function but appeared to be such.

Figure 18 – Code looking like a function, but undetected as such by automated analysis of static analyzer

This code appeared interesting as it contained calls to VirtualAlloc:

Figure 19 - Section of code calling VirtualAlloc

Decompiling that section with Ghidra results in a function with interesting behavior:

Figure 20 – Suspicious function decompiled

First, the code loads a resource from the binary by using a string identifier.

Then it allocates two memory areas with protection set to 0x40 (PAGE_EXECUTE_READWRITE), allowing execution of these areas.

Then it processes from the resource into the memory areas.

Then it proceeds to code that modifies the memory in a way that looks like a decryption routine. (The StrokePath call always returns zero, so its purpose seems unclear; it is possibly there to make the loop look like it has a legitimate purpose.)

Finally, it calls another function with no parameters before returning.

The function called just before the return simply loads an address located in memory into a register and does an unconditional jump (JMP) to it.

Figure 21 – Function that unconditionally jumps to memory location

Going back to our original function, we can see that same memory location being set with a location at an offset within one of the executable memory sections.

Figure 22 – Setting of memory location for unconditional jump

Running the sample in a debugger with a break point set to just before the unconditional jump instruction, we can see that the executable buffer contains a Portable Executable (PE) file, and the program is about to jump execution to and offset within that executable file. Hence, the name DELPHYS because the loader is written in Delphi and another malicious executable is nested inside it.

Figure 23 – Screenshot debugger running DELPHYS showing execution about to pass to nested PE file

Kroll dumped the memory containing the PE file to disk and determined this file to be Demon, the agent for the open-source HAVOC C2 framework.

DELPHYS Summary

While DELPHYS is a larger file size, its main purpose appears to be to extract into memory and execute an executable nested within it. The fact that it is written in 64-bit Delphi makes it harder to statically analyze due to the volume of excess code and less out-of-the-box support in static analysis tools.

This investigation revealed the lengths a dedicated threat actor, KTA440, went through to target an individual, likely after significant amounts of recognisance on the intended target, and a social engineering campaign that led to deployment of novel malware to the victim’s device. KTA440 displays skills and capabilities consistent with actors familiar with defense evasion, the capabilities of endpoint detection and response tools and antivirus, and a clear path to chain exploitation of the target device.

An additional sign of sophistication is the presence of multiple technologies for each step in the attack chain. Delphi binaries are a lesser-used language. This means that many tools and detections are not written to enable rapid analysis of Delphi binaries. Delphi binaries also do not tend to have a high number of dependencies, resulting in a larger binary that often becomes more time-consuming to analyze. Any compiled software can be analyzed given enough time and effort. If an actor is confident this will be time-consuming, they may have more time for actions on objectives and a slower reverse engineering process of their tooling during the incident response. For theft, this can result in valuable time to tumble currencies and clean up their tracks.