Full Report
A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices. [...]
Analysis Summary
# Tool/Technique: Havoc C2 Framework
## Overview
Havoc is an open-source post-exploitation Command and Control (C2) framework, functionally similar to Cobalt Strike. In the context of the ClickFix attack campaign, it is being used as the final payload to gain remote control over compromised devices after initial execution via malicious PowerShell scripts hosted on Microsoft SharePoint.
## Technical Details
- Type: Tool (Post-Exploitation Framework)
- Platform: Windows (Inferred, as the initial stages involve PowerShell and common Windows hygiene checks)
- Capabilities: Remote control of compromised endpoints, C2 communication, lateral movement capabilities, and deployment via injected DLLs.
- First Seen: Not specified in the text, but its use in this context is recent.
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Inferred, as traffic is allegedly blended using Microsoft Graph API)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Inferred, as deployment is often executed via injected DLLs)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell (Used in the initial deployment stage leading to Havoc execution)
## Functionality
### Core Capabilities
- Operates as a C2 framework to maintain persistence and control over compromised systems.
- Deployed onto the target system as an injected DLL via a Python script executed after initial PowerShell stages.
### Advanced Features
- Configured to communicate back to the threat actor using **Microsoft's Graph API**, embedding malicious traffic within legitimate cloud service communications to evade detection.
- Utilizes SharePoint APIs on Microsoft Graph to send and receive commands, leveraging the cloud provider's infrastructure for C2 exchange.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text]
- Registry Keys: Modification of the Windows Registry to add a value indicating the initial script was run.
- Network Indicators: Communication pathways utilizing Microsoft Graph API and associated SharePoint APIs. (Defanged examples placeholders: `hxxps://graph.microsoft.com/`, `hxxps://[sharepoint_site]/`)
- Behavioral Indicators: Successful installation of a Python interpreter if not present; deployment of a payload as an injected DLL; C2 beaconing tailored to mimic Graph API traffic.
## Associated Threat Actors
- Threat actors utilizing the "ClickFix" attack vector (specific group name not provided in the text, but associated with deploying various malware including infostealers and DarkGate).
## Detection Methods
- Signature-based detection: Signatures targeting the specific DLL payload or known Havoc configuration beacons.
- Behavioral detection: Monitoring for unusual execution chains starting from malicious PowerShell scripts, subsequent installation of Python, and subsequent DLL injection activities indicative of post-exploitation frameworks.
- YARA rules: Rules targeting known Havoc components or specific string patterns related to the framework deployment.
## Mitigation Strategies
- Endpoint protection monitoring for unusual PowerShell executions originating from file-handling incidents (like ClickFix deployment).
- Strict application controls to prevent the execution of downloaded scripts / interpreters (like Python) in unexpected contexts.
- Monitoring outbound network traffic for anomalous communication patterns targeting Microsoft Graph API endpoints, particularly if the traffic payload structure is suspicious or does not align with expected MGA usage.
- Hardening SharePoint environments to prevent uploading and serving malicious attachments or scripts.
## Related Tools/Techniques
- Cobalt Strike (Explicitly mentioned as a similar framework)
- PowerShell (Used as the initial execution vector for the payload chain)
- DarkGate (Other malware deployed via ClickFix campaigns)
- Infostealers (Other malware deployed via ClickFix campaigns)