This article discusses a high-severity phishing campaign that utilizes the Havoc command-and-control framework to gain control over infected Microsoft Windows systems. Threat actors leverage social engineering tactics, specifically using a fake error message in an HTML attachment to execute malicious PowerShell commands. The campaign emphasizes the challenges in detecting malicious communications as they are hidden within legitimate services like Microsoft Graph API. Affected: Microsoft Windows, Organizations
Keypoints :
- The Havoc framework is a powerful command-and-control tool, similar to Cobalt Strike and Silver, used by threat actors.
- A phishing email containing an HTML file is the initial access method for the attack.
- The attachment, βDocuments.html,β deceives users into executing a malicious PowerShell command.
- The command downloads and executes a remote PowerShell script hosted on SharePoint.
- The campaign uses a modified version of Havoc Demon to conceal C2 communication within Microsoft Graph API.
- The threat actor employs ClickFix social engineering tactics to enhance the deception.
- The payload utilizes a PowerShell script and a Python script for additional malicious operations.
- Integration with Microsoft services complicates detection and response efforts against the malware.
- FortiGuard antivirus can detect and block the malware discussed in the article.
MITRE Techniques :
- T1203: Exploitation for Client Execution β Phishing email with an HTML attachment exploits users into running malicious code.
- T1071.001: Application Layer Protocol: Web Protocols β Use of Microsoft Graph API to obfuscate C2 traffic.
- T1059.001: Command and Scripting Interpreter: PowerShell β Execution of PowerShell scripts to manage malicious tasks.
- T1202: Indirect Command Execution β Use of a ClickFix HTML attachment to prompt users into pasting code.
- T1105: Remote File Copy β Downloading remote PowerShell and Python scripts from SharePoint.
Indicator of Compromise :
- [C2] hao771[.]sharepoint.com
- [File] 51796effe230d9eca8ec33eb17de9c27e9e96ab52e788e3a9965528be2902330989f58c86343704f143c0d9e16893fad98843b932740b113e8b2f8376859d2ddA5210aaa9eb51e866d9c2ef17f55c0526732eacb1a412b910394b6b51246b7dacc151456cf7df7ff43113e5f82c4ce89434ab40e68cd6fb362e4ae4f70ce65b3