"Another campaign, documented by Sekoia, targeted Windows users. The attackers behind it first compromise a hotel's account for Booking.com or another online travel service. Using the information stored in the compromised accounts, the attackers contact people with pending reservations, an ability that builds immediate trust with many targets, who are eager to comply with instructions, lest their stay be canceled. The site eventually presents a fake CAPTCHA notification that bears an almost identical look and feel to those required by content delivery network Cloudflare."
"The proof the notification requires for confirmation that there's a human behind the keyboard is to copy a string of text and paste it into the Windows terminal. With that, the machine is infected with malware tracked as PureRAT. Push Security, meanwhile, reported a ClickFix campaign with a page "adapting to the device that you're visiting from." Depending on the OS, the page will deliver payloads for Windows or macOS."
"Many of these payloads, Microsoft said, are LOLbins, the name for binaries that use a technique known as living off the land. These scripts rely solely on native capabilities built into the operating system. With no malicious files being written to disk, endpoint protection is further hamstrung. The commands, which are often base-64 encoded to make them unreadable to humans, are often copied inside the browser sandbox, a part of most browsers that accesses the Internet in an isolated environment."
Attackers compromise hotel or travel service accounts to contact reservation holders and exploit built trust. A fake CAPTCHA prompts users to copy and paste a text string into a Windows terminal, which installs PureRAT. Other campaigns adapt payloads to the visitor's OS and deliver LOLbins that rely on native OS capabilities, avoiding writing malicious files to disk. Commands are often base-64 encoded and copied within the browser sandbox, limiting visibility to many security tools. Users often do not suspect copy-paste instructions from seemingly legitimate sources, increasing the attacks' effectiveness.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]