Two cybercriminal groups attack hotels around the world

Information security experts spoke about the RevengeHotels criminal campaign aimed at the hospitality sector in Brazil and several other countries. According to experts, at least two cybercriminal groups attack hotels and hunt for the bankcard information of hotel guests, infecting both guest devices and host computers.

According to information security analysts, cybercriminals and methods of social engineering are widely used by cybercriminals in their campaigns. Typically, an attack begins with an email to which a document with a malicious OLE object is attached.

Messages sent to the hotels contain a request to reserve a large number of rooms for a real organization. To deceive the victim, cybercriminals attach an extract from the state register of a legitimate company to the message, and the letter itself is sent from a domain very similar to the official one.

If the victim opens a malicious file, he downloads a small PowerShell script, which, in turn, delivers the main payload to the device.

“The main attack vector is via email with crafted Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customized versions of RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT and other custom malware such as ProCC in the victim’s machine. The group has been active since 2015, but increased its attacks in 2019”, — report IS specialists.

Experts have identified two criminal teams that use different malware in their campaigns.

The RevengeHotels grouping installs an executable file created using the .NET framework and packaged by Yoda Obfuscator on the target computers. As the source code study showed, the RevengeRAT Trojan, which has already appeared in criminal campaigns in the Middle East, America and Europe, acts as a malware.

In addition to the backdoor, cybercriminals deliver a malicious ScreenBooking script to the machine that monitors the opening of certain pages in the browser and intercepts bank card information entered by the visitor. The module is able to work with hotel aggregators, such as booking.com, and monitor data in English and Portuguese.

The second team, dubbed ProCC, uses an original program written in Delphi. The malware is able to intercept information from the clipboard, as well as copy the contents of documents sent to the printer.

According to telemetry, most of the victims of cyberattacks are in Brazil and other countries of South and Central America. Information about infections also came from Spain, Portugal, Italy, Turkey and Thailand.

Read also: Nearly half of cheats for online games threaten user safety

Meanwhile, having examined the statistics of the bit.ly service, used to reduce malicious links, experts concluded that the campaign is global. Potential victims of cybercriminals may be located in another two dozen countries.

Recommendations:

If you want to be a well informed and safe traveler, it’s highly recommended to use a virtual payment card for reservations made via OTAs, as these cards normally expire after one charge. While paying for your reservation or checking out at a hotel, it’s a good idea to use a virtual wallet such as Apple Pay, Google Pay, etc. If this is not possible, use a secondary or less important credit card, as you never know if the system at the hotel is clean.

Exit mobile version