What's Happening?
Cybersecurity researchers have identified a new campaign, named PHALT#BLYX, targeting the European hospitality sector. The campaign uses phishing emails that impersonate Booking.com to trick hotel staff
into executing malicious PowerShell commands. These emails claim to notify recipients of unexpected reservation cancellations and direct them to a fake website. This site masquerades as Booking.com and leads users through a series of steps that ultimately deploy a remote access trojan known as DCRat. The attack chain begins with a phishing email containing a link to a fake website, which then redirects users to a bogus blue screen of death (BSoD) page. This page instructs users to execute a command that downloads and runs a payload, configuring Microsoft Defender Antivirus exclusions and establishing persistence on the host system. The campaign leverages living-off-the-land techniques, using trusted system binaries like MSBuild.exe to evade detection and maintain a foothold in compromised systems.
Why It's Important?
This campaign highlights the evolving tactics of cybercriminals who exploit trusted system processes to bypass security measures. By targeting the hospitality sector, the attackers aim to compromise sensitive information and potentially disrupt operations. The use of DCRat, a versatile trojan, allows attackers to log keystrokes, execute arbitrary commands, and deploy additional payloads, posing significant risks to affected organizations. The campaign's focus on European targets, as indicated by the use of Euros in phishing emails, underscores the global nature of cybersecurity threats. The involvement of Russian threat actors, suggested by the use of the Russian language in the attack's code, further emphasizes the international dimension of cybercrime.
What's Next?
Organizations in the hospitality sector and beyond must remain vigilant against such sophisticated phishing attacks. Implementing robust cybersecurity measures, including employee training and advanced threat detection systems, is crucial to mitigating the risk of such intrusions. As cybercriminals continue to refine their techniques, businesses must adapt their defenses to protect sensitive data and maintain operational integrity. Collaboration between cybersecurity firms and affected industries will be essential in identifying and neutralizing emerging threats.
