The latest global malspam campaign targets the hotel industry, emphasizing the need to stay alert against such attacks at all times.
Cybersecurity researchers at Sophos X-Ops have issued a warning to the hospitality industry about a sophisticated malspam campaign targeting hotels worldwide.
The campaign leverages social engineering tactics to lure hotel representatives into opening password-protected archives containing malware designed to steal sensitive data.
A malspam attack is a cybersecurity threat where malicious actors send emails containing malware to infect your device and steal your data or disrupt your system.
According to researchers, attackers are targeting hotels worldwide with email complaints about service problems or requests for information to create an aura of legitimacy before sending links to malicious payloads.
The malspam campaign was reported just days after FortiGuard Labs researchers identified a similar campaign targeting unsuspecting users with a fake hotel reservation/booking scam.
In this campaign, scammers compromised devices using the MrAnon Stealer.
These emails contain links to password-protected archives hosted on public cloud storage platforms like Google Drive.
The password, often simple, grants access to the malware, primarily of the Redline Stealer or Vidar Stealer families.
Large file sizes often containing zeroes as spacefill are used to prevent analysis.
Sophos researchers identified that the attackers are using the same methodology that they discovered in April 2023.
The emails typically span a wide range of subjects that can be broadly categorized into complaints about serious issues faced during a recent stay at the hotel and requests for information for future bookings.
Either way, the attackers send links to malware payloads wrapped in password-protected archive files, posing a threat to hotel representatives.
In every case, the threat actor provided documentation as proof of their complaints, which contained malware.
In another sample, the threat actor claims to have already booked rooms through the website but needs accommodation for a family member with a disability with a link to a ZIP file containing medical records.
The threat actor adds that the link may only be compatible with Windows computers.
The malware connects to a Telegram encrypted messaging service URL. The bot then downloads a payload from the URL and uses HTTP POST requests to submit telemetry about the infected machine.
The malware does not establish persistence on the host machine, only runs once, extracts and exfiltrates data, and quits.
Sophos X-Ops has retrieved over 50 unique samples from cloud storage hosted by threat actors conducting the campaign.
Sophos' principal threat researcher Andrew Brandt shared the following comment with Hackread.com on the malspam campaign, explaining the risks it entails for the hospitality industry.
This Cyber News was published on www.hackread.com. Publication date: Tue, 19 Dec 2023 18:43:05 +0000