"It is a trick for click-fix that executes a PowerShell command to download a proj file,"
"The campaign leverages MSBuild.exe to compile and execute the payload. The final payload is a heavily obfuscated version of DCRat, capable of process hollowing, keylogging, persistent remote access and to drop secondary payloads."
"The attackers utilize booking.com, a theme that has been abused in the past and remains a persistent threat. The phishing emails notably feature room charge details in Euros, suggesting the campaign is actively targeting European organisations. The use of Russian language within the 'v.project' MS build file links this activity to Russian threat factors using DCRat."
A campaign tracked as PHALT#BLYX targets the hospitality sector by sending fake booking.com cancellation emails that link to a fraudulent website. The website presents a false CAPTCHA and a fake blue screen of death that encourage a click-fix action, tricking users into executing a PowerShell command to download a .proj file. The attackers abuse MSBuild.exe to compile and execute the downloaded project, delivering an obfuscated DCRat variant. The DCRat payload performs process hollowing, keylogging, persistent remote access, and can drop secondary payloads. Phishing content and Euros charges indicate a European focus; Russian language in the v.project file links activity to Russian threat factors.
Read at Securitymagazine
Unable to calculate read time
Collection
[
|
...
]