A malspam campaign was spotted by security researchers that was targeting the financial staff of multiple entities from the North American hotel industry, using malicious attachments to drop the NetWiredRC Remote Access Trojan (RAT) on unsuspecting victims.
Malspam (short for malicious or malware spam) is a type of spam email designed to deliver malware payloads via malicious URLs or infected attachment.
The spam emails sent by this malicious campaign’s operators attempt to trick the targeted hotel employees into opening an attachment disguised as an invoice detailing arrears in the form of outstanding bills with more information on the services and goods that haven’t yet been paid.
Security researches from Qihoo 360 Security Center found that the attachments are used to infect the victims’ computers with a NetWiredRC RAT which enables the attackers to gain unauthorized access and remotely control their victims’ computers, as well as steal information among a host of other things.
The RAT is dropped on the targets’ machines with the help of PowerShell script that will be downloaded from http[:]//bit[.]do/e2VHR after executing the .LNK file which has it linked within its target option.
Once launched on a successfully compromised machine, Qihoo’s researchers found that the NetWiredRC malware will add itself to the computer’s startup folder to achieve persistence.
The attackers could perform a wide range of actions on computers infected with the NetWiredRC Trojan, including but not limited to downloading and executing extra malware payloads, uploading files, simulate mouse and keyboard clicks, start new processes, take screenshots, log keystrokes, steal credentials, and collect and exfiltrate system and user information.
Login credentials can also be stolen if they’re saved within “IE, Comode Dragon, Yandex, Mozilla Firefox, Google Chrome, Chromium, Opera browsers and OutLook, ThundBird, SeaMonkey, and other mail clients” as detailed in Qihoo’s report.
Stealing the data of hotel customers is the common denominator of most cyberattacks against hotels and an expected result after the computing network of a hospitality entity is breached by hackers, with a multitude of data breaches involving hotel clients having been reported during last few years.
For instance, approximately 339 million guest records were exposed in the Marriott data breach that took place in 2014 and was announced in November 2018, while another 130 million hotel guests of Huazhu Hotels Group Ltd—one of China’s largest hotel chains—had their personal information sold on a Chinese Dark Web forum in August 2018.
An unknown threat actor also stole payment card and personal information of guests from hundreds of hotels as discovered in June 2018 after breaching the systems of Paris-based company FastBooking that sells hotel booking software over 4,000 hotels from 100 countries.
Back in 2017, as detailed in a report published by cyber-security firm FireEye, the Russian cyber-espionage group APT28 used the ETERNALBLUE NSA exploit in a spear-phishing campaign that distributed malicious documents to hotels and several other organizations in the hospitality industry to infect them with the GAMEFISH malware.