- Security researchers spotted a new ClickFix campaign
- The goal is to deploy the Havoc post-exploitation framework
- The framework is hosted on a Microsoft SharePoint account
Hackers have been seen abusing Microsoft SharePoint to distribute the Havoc post-exploitation framework in a new ClickFix phishing attack.
Cybersecurity researchers Fortiguard Labs, who have been tracking the campaign since last year, highlighted how ClickFix is a type of scam we’ve probably all encountered at least once. Cybercriminals would hijack a website, and create an overlay that displays a fake error message (for example: “Your browser is outdated, and to view the contents of the webpage, you need to update it”). That fake message would prompt the victim into action, which usually concludes by downloading and running malware, or sharing sensitive information such as passwords or banking data.
This campaign is similar, although requires a bit more activity from the victim’s side. The attack chain starts with a phishing email, carrying a “restricted notice” as a .HTML attachment. Running the attachment displays a fake error that says “Failed to connect to OneDrive – update the DNS cache manually”. The page also has a “How to fix” button that copies a PowerShell command to the Windows clipboard, and then displays a message on how to paste and run it.
Rising threat of ClickFix
Running this script then runs a second one, hosted on the attackers’ SharePoint server which, in turn, downloads a Python script that deploys the Havoc post-exploitation framework as a .DLL file.
Havoc is a post-exploitation framework designed for advanced red teaming and adversary simulation, providing modular capabilities for stealthy command and control (C2) operations. It offers features like in-memory execution, encrypted communication, and evasion techniques to bypass modern security defenses.
ClickFix has gotten insanely popular in these last couple of months. In late October last year, a new malware variant was observed compromising thousands of WordPress websites, installing a malicious plugin that would serve the ClickFix attack.
Just a few weeks prior, researchers saw fake broken Google Meet calls, which was also a variant of the ClickFix attack.
Via BleepingComputer
Leave a comment