A phishing campaign identified by Microsoft Threat Intelligence targets the hospitality industry, impersonating Booking.com and utilizing the ClickFix social engineering technique to deliver credential-stealing malware. The campaign, ongoing since December 2024, aims at financial fraud by tricking users into executing malicious commands. Affected: hospitality organizations, Booking.com users
Keypoints :
- The phishing campaign impersonates Booking.com and targets the hospitality industry.
- Utilizes the ClickFix technique for social engineering to prompt user interaction.
- The campaign has been ongoing since December 2024 and is expected to peak during busy travel days.
- Microsoft tracks the campaign as Storm-1865, linked to credential theft and financial fraud.
- Malicious emails employ various topics like guest reviews and account verifications to lure the victims.
- Users are prompted to execute commands leading to the download of malware via mshta.exe.
- The campaign delivers different types of malware, including XWorm, Lumma stealer, and Danabot.
- Organizations are encouraged to educate users to recognize phishing attempts.
MITRE Techniques :
- T1203 – Exploitation for Client Execution: Uses malicious commands to execute malware through user interaction.
- T1071 – Application Layer Protocol: Implements web protocols for command and control communications.
- T1086 – PowerShell: Utilizes PowerShell for command execution and malware download.
- T1059 – Command and Scripting Interpreter: Engages command execution through mshta.exe.
- T1222 – File and Directory Permissions Modification: Involves changing permissions to facilitate malware execution.
Indicator of Compromise :
- [IP Address] 92.255.57.155
- [IP Address] 147.45.44.131
- [IP Address] 176.113.115.170
- [IP Address] 31.177.110.99
- [File hash (SHA-256)] 01ec22c3394eb1661255d2cc646db70a66934c979c2c2d03df10127595dc76a6