CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Malware & Threats

Sophisticated ClickFix Campaign Targeting Hospitality Sector

Fake Booking reservation cancellations and fake BSODs trick victims into executing malicious code leading to RAT infections. The post Sophisticated ClickFix Campaign Targeting Hospitality Sector appeared first on SecurityWeek.

Windows security

Securonix warns of a stealthy and sophisticated ClickFix campaign targeting the hospitality sector for remote access trojan (RAT) deployment.

The attacks start with a phishing email containing a fake Booking.com reservation cancellation lure, with a link to an impersonating website that displays a fake CAPTCHA.

Once the victim clicks on the phishing link and lands on the fake website, they are served a deceptive CAPTCHA-style browser error that leads to a fake Blue Screen of Death (BSOD) animation.

The phishing emails used in the campaign, dubbed PHALT#BLYX, contain room charge details in euros, suggesting the threat actors behind it, likely of Russian origin, are actively targeting organizations in Europe, Securonix says.

To ensure the victims click on the malicious links within the email body, the attackers included mention of a charge/refund of over €1,000 (~$1,170) and a request for assistance.

Once the victim accesses the link, a browser error is displayed, and they are prompted to click a ‘reload page’ button, which triggers the ClickFix attack: the browser’s window enters full-screen mode and the fake BSOD image is displayed.

The fake screen instructs the victim to press several key combinations leading to the execution of PowerShell commands that download a malicious MSBuild project file.

The infection chain continues with MSBuild compiling and executing the payload within the project file, which results in Windows Defender being disabled, persistence being achieved, and a customized version of the DCRat RAT being executed.

Upon execution, the payload within the project file checks the privileges of the current user and, if administrative privileges are missing, it attempts execution with high privileges using User Account Control (UAC) spam.

The final payload, a .NET executable, appears to be a variant of DCRat, a known fork of AscynRAT, designed with a high degree of resilience and operational security.

“The malware’s ability to randomize connection points and potentially leverage dead-drop resolvers like Pastebin indicates a botnet infrastructure designed to withstand individual server takedowns and maintain connectivity in hostile environments,” Securonix notes.

Related: ClickFix Attacks Against macOS Users Evolving

Related: New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack

Related: ClickFix Attack Exploits Fake Cloudflare Turnstile to Deliver Malware

Related: ClickFix Widely Adopted by Cybercriminals, APT Groups

Latest News

CYBERNEWSMEDIAPublisher