Since its emergence in 2015, the cybercriminal group known as RevengeHotels has been targeting the hospitality sector with increasing sophistication. Initially deploying custom Remote Access Trojans (RATs) like RevengeRAT and NanoCoreRAT through phishing campaigns aimed at hotel front-desk systems, the group has now escalated its tactics by integrating artificial intelligence (AI) into its attack mechanisms.
Evolution of Attack Strategies
In recent operations, RevengeHotels has shifted to delivering VenomRAT—a more advanced malware—using dynamically generated JavaScript loaders and PowerShell scripts. These loaders exhibit a level of sophistication akin to professional software development, featuring detailed comments and variable placeholders indicative of automated code generation. This suggests the utilization of large language models to craft these malicious scripts, enhancing their effectiveness and evasion capabilities.
Targeted Regions and Phishing Techniques
The group’s recent focus has been on Brazilian hospitality networks, with an expansion into Spanish-speaking markets in Latin America. Their phishing emails are meticulously crafted to appear as overdue invoice notifications or fraudulent job applications, compelling recipients to visit malicious websites. These sites host scripts named in a rotating Fat{NUMBER}.js format—Fat translating to invoice in Portuguese—which initiates the malware download process.
Infection Chain and AI Integration
Upon execution, the JavaScript loader decodes an obfuscated buffer and writes a PowerShell script to disk with a timestamped filename. This method ensures each instance is unique, complicating detection by traditional signature-based security systems. The PowerShell script then retrieves two Base64-encoded payloads—venumentrada.txt and runpe.txt—from remote servers. The first acts as a lightweight loader, while the second executes the VenomRAT payload directly in memory, avoiding the need to write the final executable to disk.
The use of AI-generated code in these loaders marks a significant evolution from the group’s previous manual obfuscation efforts. The generated code is not only more coherent but also includes detailed comments and variable placeholders, indicating a high level of automation and sophistication.
VenomRAT Capabilities
VenomRAT is an enhancement of the open-source QuasarRAT, augmented with features such as hidden desktop (HVNC) capabilities, file-stealing modules, and User Account Control (UAC) bypass techniques. Its configuration data is encrypted using AES-CBC and authenticated via HMAC-SHA256, employing distinct keys for decryption and integrity verification. Networking routines serialize action-specific packets, compress them with LZMA, and encrypt them with AES-128 before transmission to the command-and-control server.
A notable feature of VenomRAT is its integration of ngrok-based tunneling, which exposes Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC) services. This enhances remote access capabilities, even through Network Address Translation (NAT) or firewall constraints, making it a potent tool for cybercriminals.
Implications for Cybersecurity
The incorporation of AI into RevengeHotels’ attack strategies underscores a broader trend in cybercrime: the leveraging of advanced technologies to enhance the effectiveness and stealth of attacks. This development poses significant challenges for cybersecurity professionals, as traditional detection methods may be insufficient against such sophisticated threats.
Organizations, particularly those in the hospitality sector, must adopt proactive security measures, including:
– Employee Training: Educating staff to recognize and report phishing attempts.
– Advanced Threat Detection: Implementing behavior-based detection systems capable of identifying anomalous activities indicative of AI-generated attacks.
– Regular Security Audits: Conducting frequent assessments to identify and mitigate vulnerabilities within the network.
By staying informed about evolving cyber threats and adopting comprehensive security strategies, organizations can better protect themselves against sophisticated attacks like those orchestrated by RevengeHotels.
