Securonix warns of a stealthy and sophisticated ClickFix campaign targeting the hospitality sector for remote access trojan (RAT) deployment.
The attacks start with a phishing email containing a fake Booking.com reservation cancellation lure, with a link to an impersonating website that displays a fake CAPTCHA.
Once the victim clicks on the phishing link and lands on the fake website, they are served a deceptive CAPTCHA-style browser error that leads to a fake Blue Screen of Death (BSOD) animation.
The phishing emails used in the campaign, dubbed PHALT#BLYX, contain room charge details in euros, suggesting the threat actors behind it, likely of Russian origin, are actively targeting organizations in Europe, Securonix says.
To ensure the victims click on the malicious links within the email body, the attackers included mention of a charge/refund of over €1,000 (~$1,170) and a request for assistance.
Once the victim accesses the link, a browser error is displayed, and they are prompted to click a ‘reload page’ button, which triggers the ClickFix attack: the browser’s window enters full-screen mode and the fake BSOD image is displayed.
The fake screen instructs the victim to press several key combinations leading to the execution of PowerShell commands that download a malicious MSBuild project file.
The infection chain continues with MSBuild compiling and executing the payload within the project file, which results in Windows Defender being disabled, persistence being achieved, and a customized version of the DCRat RAT being executed.
Upon execution, the payload within the project file checks the privileges of the current user and, if administrative privileges are missing, it attempts execution with high privileges using User Account Control (UAC) spam.
The final payload, a .NET executable, appears to be a variant of DCRat, a known fork of AscynRAT, designed with a high degree of resilience and operational security.
“The malware’s ability to randomize connection points and potentially leverage dead-drop resolvers like Pastebin indicates a botnet infrastructure designed to withstand individual server takedowns and maintain connectivity in hostile environments,” Securonix notes.
Related: ClickFix Attacks Against macOS Users Evolving
Related: New ClickFix Malware Variant ‘LightPerlGirl’ Targets Users in Stealthy Hack
Related: ClickFix Attack Exploits Fake Cloudflare Turnstile to Deliver Malware
Related: ClickFix Widely Adopted by Cybercriminals, APT Groups
