A New Malware Campaign Uses a Fake BSOD to Infiltrate PCs
In a chilling reminder of the ever-evolving cyber threats, a recent malware campaign has surfaced, targeting the hotel and hospitality industry. This new campaign, named PHALT#BLYX, uses a deceptive Blue Screen of Death (BSOD) to trick victims into installing malware on their computers.
The Multi-Stage Infection Chain
The attack begins with a phishing email that appears to be from Booking.com, a popular online travel agency. The email requests the recipient to cancel a booking reservation, prompting them to visit a fake website. This site displays a phony CAPTCHA that triggers a bogus BSOD.
- The recipient is then lured into using the ClickFix tactic, which convinces them to copy and paste malicious code into the Windows run dialog box.
- This action downloads and executes an MSBuild project file named v.proj, deploying the malware.
- The malware disables Windows Defender and sets itself up as a URL in the startup folder to run automatically upon Windows launch.
The Final Payload: DCRat Trojan
If the victim falls for the ClickFix tactic, the final payload is an obfuscated version of DCRat, a remote access trojan. This trojan can remotely access the infected PC, log keystrokes, run malicious code through legitimate processes, and install secondary payloads.
Targeting the Hospitality Industry and Europe
The attackers have strategically launched this campaign during the busy holiday season for the hotel industry and exploited Booking.com, a site frequently targeted by scammers. The phishing emails list room charges in euros, suggesting that the attacks have been primarily targeting hotels and similar businesses in Europe. The inclusion of Russian language in the "v.project" MS build file links the campaign to Russian attackers who use DCRat.
Protecting Yourself and Your Organization
For organizations and individuals in the crosshairs, Securonix offers the following tips to combat the threat:
- Educate employees about the ClickFix tactic and warn them against copying and pasting code in the Windows Run box or PowerShell terminal, especially in response to a BSOD or other error.
- Be wary of phishing emails claiming to be from hospitality services like Booking.com, particularly those with urgent financial requests. Verify such emails through official channels rather than clicking on any included links.
- Monitor for use of MSBuild.exe and instances in which it runs project files from unusual folders or tries to initiate external network connections.
- Monitor other executable files like aspnet_compiler.exe, RegSvcs.exe, and RegAsm.exe for any odd or unusual activity.
- Monitor for suspicious files such as .proj and .exe files, especially if created in the Windows ProgramData folder or the Windows startup folder.
- Enable PowerShell logging to record and analyze the content of executed scripts.
Implications for North East India and Beyond
While the current campaign primarily targets the hospitality industry in Europe, it serves as a stark reminder of the need for vigilance against cyber threats. As the digital landscape continues to evolve, so too will the tactics employed by cybercriminals. It is essential for individuals and organizations across North East India and the broader Indian context to remain informed and proactive in safeguarding their digital assets.
Stay Secure in the Digital Age
As we navigate the digital age, it is crucial to stay informed, aware, and vigilant against cyber threats. By following best practices and staying updated on the latest security measures, we can help protect ourselves and our organizations from falling victim to malicious campaigns such as PHALT#BLYX.