Cybersecurity researchers have identified a phishing campaign using the ClickFix technique to deploy Havoc, an open-source command-and-control framework. The attack begins with phishing emails containing an HTML file that tricks users into executing a harmful PowerShell command. This command downloads various scripts from a SharePoint server, evading security measures by utilizing trusted services for command-and-control communications. The framework includes capabilities for file operations and executing commands, which highlights the evolving tactics of threat actors in compromising user systems.
The starting point of the attack is a phishing email containing an HTML attachment that, when opened, displays an error message, which uses the ClickFix technique to trick users into executing a malicious command.
The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2 communications.
Collection
[
|
...
]