TZUTC: -0500   
   MSGID: 329.consprcy@1:2320/105 2c2ccf71   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Microsoft SharePoint hijacked to spread Havoc malware   
      
   Date:   
   Tue, 04 Mar 2025 14:23:00 +0000   
      
   Description:   
   Fake OneDrive errors are being used in brand new malware campaign   
      
   FULL STORY   
   ======================================================================   
    - Security  researchers spotted a new ClickFix campaign   
    - The goal is to deploy the Havoc post-exploitation framework   
    - The framework is hosted on a Microsoft SharePoint account   
      
   Hackers have been seen abusing Microsoft SharePoint to distribute the Havoc   
   post-exploitation framework in a new ClickFix phishing attack.    
      
   Cybersecurity researchers Fortiguard Labs, who have been tracking the    
   campaign since last year, highlighted how ClickFix is a type of scam weve   
   probably all encountered at least once. Cybercriminals would hijack a    
   website, and create an overlay that displays a fake error message (for   
   example: Your browser is outdated, and to view the contents of the webpage,   
   you need to update it). That fake message would prompt the victim into    
   action, which usually concludes by downloading and running malware , or   
   sharing sensitive information such as passwords or banking data.    
      
   This campaign is similar, although requires a bit more activity from the   
   victims side. The attack chain starts with a phishing email, carrying a   
   restricted notice as a .HTML attachment. Running the attachment displays a   
   fake error that says Failed to connect to OneDrive - update the DNS cache   
   manually. The page also has a How to fix button that copies a PowerShell   
   command to the Windows clipboard, and then displays a message on how to paste   
   and run it.   
      
   Rising threat of ClickFix    
      
   Running this script then runs a second one, hosted on the attackers    
   SharePoint server which, in turn, downloads a Python script that deploys the   
   Havoc post-exploitation framework as a .DLL file.    
      
   Havoc is a post-exploitation framework designed for advanced red teaming and   
   adversary simulation, providing modular capabilities for stealthy command and   
   control (C2) operations. It offers features like in-memory execution,   
   encrypted communication, and evasion techniques to bypass modern security   
   defenses.    
      
   ClickFix has gotten insanely popular in these last couple of months. In late   
   October last year, a new malware variant was observed compromising thousands   
   of WordPress websites, installing a malicious plugin that would serve the   
   ClickFix attack.    
      
   Just a few weeks prior, researchers saw fake broken Google Meet calls, which   
   was also a variant of the ClickFix attack.    
      
    Via BleepingComputer   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/microsoft-sharepoint-hijacked-to-spread   
   -havoc-malware   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426