Havoc: SharePoint with Microsoft Graph API turns into FUD C2
March 4, 2025, 9:34 a.m.
Description
A phishing campaign combines ClickFix and multi-stage malware to deploy a modified Havoc Demon Agent. The attack starts with an HTML attachment using ClickFix to deceive users into executing malicious PowerShell commands. The malware stages are hidden behind SharePoint sites, and a modified Havoc Demon uses Microsoft Graph API to obscure C2 communications. The attack chain includes sandbox evasion, Python shellcode loader, KaynLdr for DLL loading, and a customized Havoc Demon DLL. The threat actor creates two files in SharePoint for C2 communication, encrypts data with AES-256, and supports various malicious commands. This campaign demonstrates the integration of public services with modified open-source tools to evade detection.
Tags
Date
- Created: March 3, 2025, 6:02 p.m.
- Published: March 3, 2025, 6:02 p.m.
- Modified: March 4, 2025, 9:34 a.m.
Indicators
- a5210aaa9eb51e866d9c2ef17f55c0526732eacb1a412b910394b6b51246b7da
- cc151456cf7df7ff43113e5f82c4ce89434ab40e68cd6fb362e4ae4f70ce65b3
- 51796effe230d9eca8ec33eb17de9c27e9e96ab52e788e3a9965528be2902330
- 989f58c86343704f143c0d9e16893fad98843b932740b113e8b2f8376859d2dd
- hao771.sharepoint.com
Attack Patterns
- KaynLdr
- Havoc
- T1021.002
- T1021.001
- T1059.006
- T1059.001
- T1012
- T1071.001
- T1016
- T1518
- T1082
- T1057
- T1566.001
- T1083
- T1134
- T1140
- T1033
- T1027
- T1053
- T1558