A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices. Threat actors have also begun to evolve the technique to use them on social media platforms like Telegram, where a fake identity verification service named 'Safeguard' was used to trick users into running PowerShell commands that install a Cobalt Strike beacon. However, as expected, the malicious PowerShell command will instead execute a script hosted on a remote site that downloads and installs malware on the devices. In a new ClickFix campaign discovered by Fortinet's Fortiguard Labs, threat actors are sending phishing emails stating that a "restricted notice" is available to review and that recipients should open the attached HTML document ('Documents.html') to view it. Clicking the button will copy a malicious PowerShell command into the Windows clipboard, which users are then prompted to paste into a command prompt to "fix" the error. ClickFix is a social-engineering tactic that emerged last year, where threat actors create websites or phishing attachments that display fake errors and then prompt the user to click a button to fix them. Finally, a Python script is downloaded from the same SharePoint site and executed to deploy the Havok post-exploitation command and control framework as an injected DLL. This PowerShell command will attempt to launch another PowerShell script hosted on the threat actor's SharePoint server. Clicking the "How to fix" button will automatically copy a PowerShell command to the Windows clipboard and then display instructions on how to execute it. In this campaign, Havok is configured to communicate back to the threat actor's services through Microsoft's Graph API, embedding malicious traffic within legitimate cloud services. Threat actors commonly use post-exploitation frameworks like Havoc to breach corporate networks and then spread laterally to other devices on the network. When opened, the HTML displays a fake 0x8004de86 error, stating that it "Failed to connect to the "One Drive" cloud service" and that users must fix the error by updating the DNS cache manually. Havoc is an open-source post-exploitation framework similar to Cobalt Strike, allowing attackers to remotely control compromised devices. ClickFix attacks have become increasingly popular among cybercriminals, who use them to deploy a wide variety of malware, including infostealers, DarkGate, and remote access trojans. Lawrence Abrams Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 03 Mar 2025 17:35:28 +0000