🎃 Hackers Use ClickFix Trick to Deploy Havoc C2 PowerShell System via SharePoint Sites

chushpan

Professional
Messages
657
Reaction score
447
Points
63
👉 Cybersecurity researchers are highlighting a new phishing campaign that uses the ClickFix technique to deliver an open-source command-and-control (C2) system called Havoc.

🗞 “The threat actor hides each stage of the malware behind a SharePoint site and uses a modified version of the Havoc Demon in combination with the Microsoft Graph API to hide C2 communications within trusted, well-known services”, according to a technical report from Fortinet ForEGuard Labs provided to The Hacker News.

📰 The attack starts with a phishing email containing an HTML attachment (“Documents.html”) that, when opened, displays an error message that uses the ClickFix technique to trick the user into copying and executing a malicious PowerShell command in a terminal or PowerShell, thus triggering the next stage.

📌 The command is designed to download and execute a PowerShell script hosted on an attacker-controlled SharePoint server. The downloaded PowerShell checks whether it runs in a sandbox environment, and then downloads the Python interpreter (“pythonw.exe”) if it is not already present on the system.
 
Top