Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- A new campaign creates a fake BSOD to install malware.
- The campaign tricks users into installing a remote access trojan.
- If executed, the RAT can remotely access the infected PC.
The Windows Blue Screen (or Black Screen) of Death is typically a sign that some unrecoverable error or conflict has occurred. Now, cybercriminals are using the dreaded BSOD as a way to trick people into running malware.
In a new malware campaign tracked by cybersecurity firm Securonix, attackers are using ClickFix social engineering, fake CAPTCHAs, and phony BSODs to convince victims into copying and pasting malicious code. Once executed, the code deploys a Russian-linked RAT (remote access trojan) that allows the criminals to remotely take over the PC and deploy additional malware.
Aimed at the hotel and hospitality industry, the campaign dubbed PHALT#BLYX is described by Securonix as a multi-stage infection chain, as it takes its victims through a series of steps.
The attack starts with a phishing email that contains a link to a fake website masquerading as online travel agency Booking.com. The email ostensibly includes a request to cancel a booking reservation to convince the recipient to engage with it. Selecting the link to the site displays a page with a fake CAPTCHA prompt that then triggers the phony BSOD.
From there, the campaign turns to an infamous ClickFix tactic, which aims to trick people into infecting themselves by copying and pasting code or launching certain commands on their system. In this case, the recipient is told to fix the BSOD by copying and pasting a malicious script into the Windows run dialog box.
Falling for the ClickFix tactic runs a PowerShell command that downloads and runs an MSBuild project file named v.proj. At this point, the malware is even smart enough to disable Windows Defender to proceed undetected. It also establishes persistence by setting itself up as a URL in the startup folder, so it automatically loads each time Windows launches.
Also: This new cyberattack tricks you into hacking yourself. Here’s how to spot it
If the victim has taken the bait this far, the final payload is an obfuscated version of DCRat, a trojan able to establish remote access, log keystrokes, run malicious code through legitimate processes, and install secondary payloads.
The attackers have bet on a couple of factors to make this campaign successful. First, it was launched during the typically busy holiday season for the hotel industry. Second, it exploits Booking.com, a site that has been abused in the past and remains popular among scammers.
The phishing emails list the room charges in euros, an indication that the attacks have been targeting hotels and similar businesses in Europe. The inclusion of Russian language in the “v.project” MS build file links the campaign to Russian attackers who use DCRat.
As the campaign is aimed at the hospitality industry, the average home user isn’t likely to be affected. But for organizations and individuals in the crosshairs, Securonix offers the following tips to combat the threat.
- User awareness. Educate your employees about the ClickFix tactic. Warn them against any emails that ask them to paste code in the Windows Run box or PowerShell terminal, especially if triggered by a BSOD or other type of error.
- Watch out for phishing emails. Be wary of any emails that claim to be from hospitality services like Booking.com, particularly ones with urgent financial requests. Verify all such emails through official channels rather than clicking on any included links.
- Monitor for use of MSBuild.exe. Set up monitoring for use of the MSBuild.exe file. Make sure your Help Desk or IT staff is alerted to instances in which MSBuild.exe runs project files from unusual folders or tries to initiate external network connections.
- Monitor other executable files. Monitor other legitimate executable files like aspnet_compiler.exe, RegSvcs.exe, and RegAsm.exe. Look for any odd or unusual activity, such as establishing outbound network connections to unknown IP addresses through uncommon ports.
- Monitor for suspicious files. Set up monitoring to look for the creation of suspicious file types, such as .proj and .exe files. Pay special attention if such files are created in the Windows ProgramData folder or the Windows startup folder.
- Enable PowerShell logging. Set up PowerShell Script Block Logging in the Windows Event Viewer (Event ID 4104) to record and analyze the content of executed scripts.
