Attackers have been targeting hotels and other hospitality organizations with a phishing campaign that uses malicious zip files purporting to include guest photos, with the aim of installing malware to achieve long-term access to compromised systems.

Both researchers at Microsoft and Trend Micro have observed the malicious activity, though they did not confirm if it was connected, according to separate reports published recently. Neither company immediately responded to a request for comment by Dark Reading about a potential link between the activities they described. 

Attackers in both campaigns use similar social engineering tactics to target the hospitality sector by impersonating guests who have complaints or requests, and then ultimately installing malware to gain a foothold on systems. They are both also relying on operational workflows familiar in a hospitality environment, where front-desk staff and reservation teams field inquiries from guests, the researchers said. And both sets of activity exploit trusted services to lend legitimacy to phishing emails, and ultimately deliver malware through zip archives containing Windows shortcut files disguised as images. This technique in particular has become increasingly popular among phishing attackers as Microsoft has restricted macro-based malware delivery.

Related:Chinese, N. Korean Threat Groups Build on Asia-Pacific Success

Perhaps most notably, rather than deploy ransomware or reap some immediate financial reward, as many phishing attacks do, both reports also describe the operators looking to establish reliable remote access to compromised systems. This is likely so they can return later to steal credentials, move laterally, or deploy additional payloads, the researchers noted.

A Tale of Two Cyber Campaigns

Microsoft has been tracking the intrusion campaign targeting hotels and other hospitality organizations across Europe and Asia, activity that the researchers said began in at least April. Trend Micro, meanwhile, has followed similar activity that occurred in May against Booking.com partner companies, specifically in Japan.

According to Microsoft’s account, attackers sent phishing emails with themes such as guest complaints, bedbug reports, health inspections, and reservation issues. The messages often abused legitimate services, including Calendly’s email notification system and Google’s URL redirection service, “to bypass conventional authentication checks through a technique we describe as authentication laundering,” according to the post.

“By routing phishing messages through a trusted service’s sending infrastructure, the threat actor can make malicious messages appear similar to legitimate notifications to email authentication defenses,” the Microsoft researchers wrote.

Related:Pakistan Spies on Afghan Finance Ministry With Xeno RAT

Victims who click embedded links download zip archives containing photo-themed LNK files. Opening the shortcut triggers an obfuscated PowerShell infection chain that ultimately deploys a persistent Node.js implant — a legitimate runtime for executing JavaScript outside of a browser — to create multiple registry-based persistence mechanisms and establish encrypted communications with attacker-controlled infrastructure. 

Blockchain Abused as Dead Drop Resolver

Trend Micro documented a parallel campaign discovered in late May targeting Japanese accommodation providers that are partners of Booking.com. The phishing emails impersonated guest stay review requests and customer complaints, encouraging recipients to download zip archives containing malicious LNK files masquerading as photographs — a similar infection chain to the one Microsoft observed.

However, Trend Micro’s campaign differs in the malware it delivers. Though Node.js is used for obfuscation in the campaign, the ultimate payload is TONResolver, a JavaScript-based remote access Trojan (RAT). The malware gains initial access and then can both receive and execute further attacker commands, according to Trend Micro. In fact, the researchers observed evidence suggesting subsequent credential theft and additional compromise after the initial infection.

Related:Tropical Blend: Cyber & Politics Ramp Up Across Latin America

Moreover, the campaign’s use of TONResolver is notable for its command-and-control (C2) architecture, which retrieves its current destination from a smart contract on The Open Network (TON) blockchain, and abusing TON as a dead-drop resolver. This technique allows attackers to hide C2 server addresses inside legitimate Web services using obfuscated or encoded content to evade detection.

This technique is starting to gain adoption among attackers to make their C2 architecture more resilient against takedowns and law enforcement, Denis Calderone, principal and chief technology officer at Suzu Labs, tells Dark Reading.

“If the C2 server gets taken down, the attacker just updates the domain inside the smart contract and every infected machine reconnects automatically,” he says. “There’s no server to seize and no domain to sinkhole. Traditional takedown playbooks don’t work against this.”

Given that this technique also was recently seen in the Trivy supply chain attack, “It does seem that the attackers are learning from each other, and blockchain C2 is moving from novel to adopted,” Calderone adds.

Hospitality Sector Under Persistent Attack

The hospitality sector is often the target of phishing attacks that not only aim to take advantage of targeted organizations themselves but also their sizable customer base. The attacks described by Microsoft and Trend Micro demonstrate yet another way cybercriminals aim to conduct malicious activity by compromising these systems for their own gain, in this case via long-term access that can be abused for malicious activity.

Both Microsoft and Trend included a list of indicators of compromise and recommendations to defenders in their respective reports. Microsoft advised that organizations treat photo-themed zip archives and fake image shortcuts as high-risk; harden and monitor PowerShell execution; monitor for unexpected .NET compilation; and investigate Node.js execution from user-space paths, among other mitigations.

Based on the activity its researchers observed, Trend Micro recommended that defenders deploy a proxy gateway on Internet-facing endpoints and perform connection filtering to protect against specific dead-drop resolver abuse. “Normally, the need for business environments to access blockchain platforms is considered limited,” the researchers wrote. “If such communication is unnecessary, pre-emptively implementing connectivity restrictions can sever the attack chain at an intermediate stage.”

For the hospitality sector in general, Suzu Lab’s Calderone advises security administrators to “trust little,” especially when it comes to how they secure front-desk workstations. “Restrict PowerShell and Node.js execution on front-desk and reservation systems at a minimum,” he says. “These workstations have no legitimate reason to run Node.js. If you see node.exe spawning on a reservations terminal, that’s your indicator.”

Don’t miss the latest Dark Reading Confidential podcast, Do CISOs Need a Code of Ethics? Kickbacks, no-show jobs, “dirty” VCs, and shelf ware — industry expert Robert “RSnake” Hansen explains why he thinks it’s time for a CISO code of ethics. It could ensure cybersecurity bosses aren’t engaged in self-dealing that could risk enterprise, and even national, security. Listen now!





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *