Cybersecurity researchers are calling attention to a new phishing campaign that employs the ClickFix technique to deliver an open-source command-and-control (C2) framework called Havoc.
“The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2 communications within trusted, well-known services,” Fortinet ForEGuard Labs said in a technical report shared with The Hacker News.
The starting point of the attack is a phishing email containing an HTML attachment (“Documents.html”) that, when opened, displays an error message, which uses the ClickFix technique to trick users into copying and executing a malicious PowerShell command into their terminal or PowerShell, thereby triggering the next-stage.
The command is designed to download and execute a PowerShell script hosted on an adversary-controlled SharePoint server. The newly downloaded PowerShell checks if it’s being run within a sandboxed environment before proceeding to download the Python interpreter (“pythonw.exe”), if it’s not already present in the system.
The next step involves fetching and executing a Python script from the same SharePoint location that serves as a shellcode loader for KaynLdr, a reflective loader written in C and ASM that’s capable of launching an embedded DLL, in this the Havoc Demon agent on the infected host.
“The threat actor uses Havoc in conjunction with the MicrosoQ Graph API to conceal C2 communication within well-known services,” Fortinet said, adding the framework supports features to gather information, perform file operations, as well as carry out command and payload execution, token manipulation, and Kerberos attacks.
The development comes as Malwarebytes revealed that threat actors are continuing to exploit a known loophole in Google Ads policies to target PayPal customers with bogus ads served via advertiser accounts that may have been compromised.
The ads seek to trick victims searching for assistance related to account issues or payment concerns into calling a fraudulent number that likely ends with them handing over their personal and financial information.
“A weakness within Google’s policies for landing pages (also known as final URLs), allows anyone to impersonate popular websites so long as the landing page and display URL (the webpage shown in an ad) share the same domain,” Jérôme Segura, senior director of research at Malwarebytes, said.
“Tech support scammers are like vultures circling above the most popular Google search terms, especially when it comes to any kind of online assistance or customer service.”