- Security researchers saw a new clickfix campaign
- The objective is to implement the HAVOC frame after exploitation
- The frame is lodged in a Microsoft SharePoint account
Computer pirates have been seen that abuse Microsoft SharePoint to distribute Havoc’s exploitation framework in a new Clickfix Phishing attack.
Fortiguard Labs cybersecurity researchers, who have been tracking the campaign since last year, highlighted how Clickfix is a type of fraud that we probably have all found at least once. The cybercriminals would kidnap a website and create an overlap that shows a false error message (for example: “your browser is outdated and to see the content of the website, you must update it”). That false message would promote the victim to the action, which generally concludes by downloading and executing malware, or sharing confidential information such as passwords or banking data.
This campaign is similar, although it requires a little more activity on the victim’s side. The attack chain begins with a phishing email, with a “restricted warning” as an attached .html file. Executing the attached file shows a false error that says “You cannot connect to OneDrive: update the DNS cache manually.” The page also has a “how to fix” button that copy a Powershell command to Windows clipboard, and then shows a message on how to paste it and run it.
CLICKFIX threat
Execute this script then run a second, housed on the SharePoint server of the attackers who, in turn, download a Python script that implements the HAVOC exploitation frame as a .DLL file.
HAVOC is a subsequent framework designed for the advanced red equipment and adversary simulation, which provides modular capabilities for sigrilous command and control operations (C2). It offers characteristics such as memory execution, encrypted communication and evasion techniques to avoid modern security defenses.
Clickfix has become incredibly popular in recent months. At the end of October last year, a new malware variant was observed that compromised thousands of WordPress websites, installing a malicious complement that would serve the clickfix attack.
Only a few weeks before, the researchers saw false calls from Google Meet of Google, which was also a variant of the Clickfix attack.
Through Bleepingcomputer
