🎃 Hackers Use ClickFix Trick to Deploy Havoc C2 PowerShell System via SharePoint Sites

chushpan

chushpan

Professional
Messages
1,090
Reaction score
1,052
Points
113
👉 Cybersecurity researchers are highlighting a new phishing campaign that uses the ClickFix technique to deliver an open-source command-and-control (C2) system called Havoc.

🗞 “The threat actor hides each stage of the malware behind a SharePoint site and uses a modified version of the Havoc Demon in combination with the Microsoft Graph API to hide C2 communications within trusted, well-known services”, according to a technical report from Fortinet ForEGuard Labs provided to The Hacker News.

📰 The attack starts with a phishing email containing an HTML attachment (“Documents.html”) that, when opened, displays an error message that uses the ClickFix technique to trick the user into copying and executing a malicious PowerShell command in a terminal or PowerShell, thus triggering the next stage.

📌 The command is designed to download and execute a PowerShell script hosted on an attacker-controlled SharePoint server. The downloaded PowerShell checks whether it runs in a sandbox environment, and then downloads the Python interpreter (“pythonw.exe”) if it is not already present on the system.
 
You must log in or register to reply here.

Similar threads

Carding Forum
Clickfix: infect your system yourself, here are instructions for you
Replies
0
Views
157
Carding Forum
Carding Forum
chushpan
☁️ OBSCURE#BAT malware uses fake CAPTCHA pages to distribute r77 rootkit and evade detection
Replies
0
Views
98
chushpan
chushpan
chushpan
🖥 New Trojan Can Spy, Steal Cryptocurrency, and Disguise Itself to Avoid Detection
Replies
0
Views
96
chushpan
chushpan
chushpan
🎃 Hackers exploit serious PHP flaw to deploy Quasar RAT and XMRig miners
Replies
0
Views
96
chushpan
chushpan
Man
ClickFix is evolving: Zoom and Google Meet are turning into tools for attacks
Replies
0
Views
149
Man
Man
Back
Top