Cybersecurity researchers have uncovered a new phishing campaign, called ClickFix, which uses social engineering tactics to deliver malware and grant attackers remote access to compromised devices. Discovered by Fortinet’s Fortiguard Labs, the campaign deploys the Havok post-exploitation framework, allowing attackers to control infected systems.
ClickFix, a tactic that surfaced last year, involves fake error messages that trick victims into running malicious PowerShell commands. In the observed campaign, attackers send phishing emails with a "restricted notice" and a 'Documents.html' attachment.
When opened, the HTML file shows a fake error message about a failed OneDrive connection, urging the user to update the DNS cache. Clicking the "How to fix" button copies a malicious PowerShell command to the clipboard, which, when pasted into a command prompt, executes a script hosted on a SharePoint server.
The script checks if the system is in a sandbox, avoiding detection if found. If not, it alters the Windows Registry and installs Python if necessary. The script then downloads and installs the Havok framework, allowing attackers to control the system and move laterally within the network.
Havok communicates with the attacker’s infrastructure through Microsoft’s Graph API, disguising malicious traffic as legitimate cloud service communications.
