Remove ClickFix-Havoc Malware

Cybersecurity investigators have uncovered a sophisticated phishing campaign leveraging the ClickFix technique to deploy Havoc, an open-source Command-and-Control (C2) framework. This attack, cleverly disguised behind a SharePoint site and utilizing Microsoft Graph API, represents a significant evolution in cyber threats.

The attackers employ a modified Havoc Demon to bypass detection and infiltrate systems stealthily. Alongside this, Google Ads exploitation has been observed, particularly targeting PayPal users with fraudulent ads leading to phishing websites.

---

Summary of ClickFix-Havoc Threat

Attribute	Details
Threat Type	Phishing, C2 Malware, ClickFix Exploit
Associated Email Addresses	Phishing emails vary, often mimicking OneDrive/SharePoint notifications
Detection Names	Trojan:Win32/HavocDemon, PowerShell/TrojanClickFix, Backdoor:MSGraph-Havoc
Symptoms of Infection	Unusual PowerShell execution, Pythonw.exe running unexpectedly, Unauthorized network requests to Microsoft Graph API, Suspicious SharePoint access
Damage	Remote access for attackers, Sensitive data theft, Potential for further malware deployment, System compromise
Distribution Methods	Phishing emails (HTML attachments), Fake SharePoint links, Exploited Google Ads leading to phishing sites
Danger Level	High – Due to its stealthy C2 capabilities and advanced evasion techniques

---

The Phishing Trap: How ClickFix Manipulates Users

The attack begins with a deceptive phishing email containing an HTML attachment named Documents.html. When opened, this file displays a fake error message, tricking the victim into manually copying and executing a PowerShell command.

This deceptive ClickFix technique manipulates users into believing they need to fix a OneDrive issue by updating their DNS cache. In reality, running the command initiates the malware infection.

How ClickFix Works

1. Phishing email urges the user to open an HTML attachment.
2. The document displays a fake error message, convincing the user to execute a PowerShell script.
3. The script contacts an attacker-controlled SharePoint server, initiating malware deployment.

---

Multi-Stage Malware Deployment: PowerShell, Python, and Havoc

Once the PowerShell command runs, the malware executes in multiple stages to evade detection and deploy Havoc.

Step 1: PowerShell Execution

• The script first checks if the system is sandboxed (avoiding cybersecurity researchers).
• If the environment appears legitimate, it proceeds with further infection.

Step 2: Python-Based Shellcode Loader

• If Python is missing, the script downloads Python (“pythonw.exe”) silently.
• Another PowerShell script fetches and executes a Python-based shellcode loader.

Step 3: Deploying the Havoc Demon

• The shellcode loader executes KaynLdr, a reflective loader written in C & Assembly.
• KaynLdr launches the Havoc Demon, giving attackers full control over the system.

---

Havoc’s Capabilities: A Stealthy Cyber Weapon

Once deployed, Havoc acts as a powerful backdoor, allowing threat actors to control compromised machines remotely.

Havoc’s Features:

• Stealthy C2 Communications: Uses Microsoft Graph API to blend with legitimate network traffic.
• Command Execution: Runs arbitrary commands on infected systems.
• Information Gathering: Collects sensitive data, including system credentials.
• Payload Execution: Deploys additional malware without detection.
• Token Manipulation & Kerberos Attacks: Exploits authentication mechanisms to escalate privileges.

---

Google Ads Exploited: Targeting PayPal Users

In a parallel campaign, cybercriminals are abusing Google Ads policies to distribute fraudulent PayPal support ads.

How the Google Ads Scam Works

1. Fake advertisements appear at the top of Google search results.
2. These ads redirect users to phishing websites impersonating PayPal support.
3. Victims are prompted to call a fake customer support number.
4. Scammers extract personal & financial details, leading to bank fraud & identity theft.

Google Ads Loophole Explained

Cybercriminals bypass Google’s ad policies by ensuring the:

• Landing page domain matches the display URL.
• Ad text mimics real customer support messages.

Since these ads look legitimate, unsuspecting users click on them, thinking they’re contacting PayPal support.

---

How to Remove ClickFix-Havoc Malware

If you suspect your system is compromised, follow these removal steps:

Step 1: Disconnect from the Internet

Immediately disable network access to prevent further communication with the C2 server.

Step 2: End Malicious Processes

1. Open Task Manager (Ctrl + Shift + Esc).
2. Look for PowerShell, pythonw.exe, and any suspicious processes.
3. Right-click and End Task.

Step 3: Delete Malicious Files

1. Navigate to:
   • C:\Users\<YourUser>\AppData\Roaming\
   • C:\ProgramData\
2. Look for suspicious PowerShell or Python files and delete them.

Step 4: Remove Persistence Mechanisms

• Open Registry Editor (Win + R → type regedit)
• Navigate to:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• Delete any suspicious entries.

Step 5: Scan for Malware

Run a full system scan using SpyHunter.

Step 6: Reset DNS Settings

Since ClickFix manipulates DNS, reset them:

1. Open Command Prompt (Admin).
2. Run:

   ipconfig /flushdns

Step 7: Secure Your Accounts

If you suspect data theft, change passwords immediately, enabling multi-factor authentication (MFA).

---

Conclusion: A Rising Threat Landscape

The ClickFix-Havoc campaign is a highly deceptive phishing attack that leverages social engineering and advanced C2 techniques to compromise systems.

The Google Ads scam further highlights how cybercriminals exploit trusted platforms to deceive users.

How to Stay Safe

• Never execute PowerShell commands from emails.
• Verify URLs before entering credentials.
• Use a trusted cybersecurity solution to detect and remove threats.

If you are still having trouble, consider contacting remote technical support.