{"id":23638,"date":"2024-01-13T12:27:29","date_gmt":"2024-01-13T20:27:29","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/01\/13\/news-17368\/"},"modified":"2024-01-13T12:27:29","modified_gmt":"2024-01-13T20:27:29","slug":"news-17368","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/01\/13\/news-17368\/","title":{"rendered":"\u201cInhospitality\u201d malspam campaign targets hotel industry"},"content":{"rendered":"

Credit to Author: Andrew Brandt| Date: Tue, 19 Dec 2023 11:00:33 +0000<\/strong><\/p>\n

\n

Sophos X-Ops is warning the hospitality industry that a campaign targeting hotels worldwide with password-stealing malware is using emailed complaints about service problems or requests for information as a social engineering lure to gain the trust of the campaign\u2019s targets, before sending them links to malicious payloads.<\/p>\n

The attackers are using a methodology similar to the one Sophos X-Ops uncovered<\/a> in the months leading up to the US federal tax filing deadline in April 2023: They initially contact the target over email that contains nothing but text, but with subject matter a service-oriented business (like a hotel) would want to respond to quickly. Only after<\/em> the target responds to the threat actor\u2019s initial email does the threat actor send a followup message linking to what they claim is details about their request or complaint.<\/p>\n

The social engineering angle spans a wide variety of subject matter, but can be categorized into two generalized buckets: complaints about serious issues the sender claims to have experienced in a recent stay, or requests for information to help with a potential future booking.<\/p>\n

Sophos X-Ops has already briefed representatives of the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) about this attack targeting their industry during the busy end-of-year holiday travel season.<\/p>\n

I am writing to inquire<\/em><\/h3>\n

The content of the \u2018complaint\u2019-style messages range from allegations of violent attacks or bigoted behavior by members of the hotel staff, to assertions that the \u201cguest\u201d had items stolen or lost from their room. The \u2018requests for information\u2019-type messages included emails asking for accommodations for someone with severe allergies, messages about how the hotel could support a business meeting, or inquiries about accessibility within the hotel for a disabled or elderly guest.<\/p>\n

\"\"<\/a><\/p>\n

In every case, once a representative from the hotel responded to the initial inquiry asking for more information, the threat actor replied with a message that \u2013 the attacker claims \u2013 links to documentation or evidence supporting their claims or requests. The \u201cdocumentation\u201d is not actual documentation, but the malware payload, wrapped in a password-protected archive file.<\/p>\n

The links point to public cloud storage services, such as Google Drive, and the body of the message contains a password (usually numeric) that the recipient is prompted to use to open the Zip or Rar archive at the other end of the download link.<\/p>\n

Common characteristics of email messages in the campaign<\/h3>\n

The messages attackers send to hotel staff share some traits that make them more suspicious and merit additional caution by recipients.<\/p>\n

Like many successful malspam campaigns, the messages are engineered to play on emotions and on the target\u2019s desire to render assistance \u2013 a self-selecting trait for successful people working in the hospitality industry.<\/p>\n

In one example, the threat actor tells a hotel staffer that they left a camera behind in a room that contains photos of a recently deceased relative, and asks the hotel for help locating the camera.<\/p>\n

\"\"<\/a><\/p>\n

When the hotel staff replied, asking for the room number and name the reservation was under, the threat actor replies, feigning exasperation.<\/p>\n

\"\"<\/a><\/p>\n

\u201cI have already told you about my family\u2019s grief, I have lost a very precious thing with my mother\u2019s last memories on it, if I send you a picture of the camera could you please help me\u201d along with a link to a file hosted on Google Drive, and the text \u201cPassword: 123456\u201d below the link.<\/p>\n

\"\"<\/a><\/p>\n

In another example, the threat actor emails a hotel and asks them to reply because they \u201chave been unable to contact you through the website or by phone.\u201d When the booking agent from the hotel asks them to provide more details about their plans, the threat actor replies, claiming they have booked rooms through the website but need to make arrangements for the accommodation of a family member with a disability. Their second email links to a zip file hosted on Google Drive they claim contains \u201cmedical records and doctor\u2019s recommendations\u201d and, again, a password of 123456 needed to open the file.<\/p>\n

In that message, the threat actor adds the following \u201cMy husband mentioned that this Google Drive link may only be compatible with Windows computers. The document holds vital details, including our booking number and proof of payment. It\u2019s essential to familiarize yourself with these details.\u201d<\/p>\n

\"\"<\/a><\/p>\n

In what might be the most egregious example, the threat actor asked for contact with a manager to address a problem they had at the hotel. Once the manager replies, the threat actor writes \u201cI did not expect there are such terrible hotels,\u201d describing a horrifying (fictitious) experience that included mouldy walls, \u201cbedbugs in almost all the furniture\u201d that \u201csignificantly worsened the comfort of my stay,\u201d and an employee who used a racist epithet. The email links to a RAR archive file hosted on the Mega.nz cloud hosting provider, also with a password of 123456, that the sender alleges contains a video of the confrontation between the guest and staff member.<\/p>\n

\"\"<\/a><\/p>\n

The emails all contrive an excuse to share documentation with the hotel workers via cloud storage, from Google Drive, Mega.nz, Dropbox, or from an address in the content hosting space of the chat platform Discord. The malicious payloads linked from these messages were compressed in either the Zip or Rar compression format, and used one of the following list of passwords.<\/p>\n