A new malware campaign dubbed PHALTBLYX is targeting the hospitality sector with sophisticated social engineering tactics and advanced evasion techniques. This emerging threat uses convincing phishing emails and fake booking websites to trick users into executing malicious code, potentially leading to significant data breaches and system compromise.
The attack chain, as detailed by Securonix analysts, begins with fraudulent emails impersonating Booking.com. These messages are designed to alarm recipients by claiming urgent reservation cancellations with hefty financial charges displayed in euros. This urgency prompts users to visit deceptive Booking.com websites meticulously crafted to mirror the legitimate service.
The core of the PHALTBLYX attack is its innovative click-fix social engineering method. Once a victim interacts with the fake Booking.com page and clicks a refresh button, their browser displays a full-screen animation simulating a Windows Blue Screen of Death (BSOD). This visual deception is intended to instill panic and guide the user toward specific on-screen instructions.
Following these simulated crash instructions, victims unknowingly copy a PowerShell command to their clipboard. When they attempt to follow the displayed prompts, they inadvertently execute this command. This manual execution bypasses many automated security controls that would typically flag or block script execution, making the attack highly effective.
PHALTBLYX Infection Mechanism Unveiled
The infection mechanism leverages Microsoft’s legitimate MSBuild.exe compiler for a technique known as “living off the land.” After the PowerShell command is executed, it initiates the download of a malicious MSBuild project file, named v.proj, from remote servers. This file is then compiled and executed by MSBuild.exe.
This “living off the land” approach allows the malware to hide its actions by masquerading as a trusted Windows utility. This significantly increases its chances of evading detection by traditional antivirus software and application whitelisting solutions. Thus, organizations need to be vigilant about suspicious MSBuild.exe executions.
A critical step in the malware’s operation involves disabling Windows Defender. It achieves this by adding broad file extension exclusions and specific directory exclusions. This ensures that subsequent malicious payloads remain undetected by the endpoint’s primary security software, creating a more permissive environment for the attackers.
The ultimate payload delivered by PHALTBLYX is a customized variant of DCRat. DCRat is a potent Remote Access Trojan (RAT) with extensive capabilities for system compromise. It establishes persistence on the infected system by creating internet shortcut files within the Windows startup folder, cleverly disguised as legitimate system utilities.
Upon successfully connecting to its command and control (C2) servers, the DCRat variant begins collecting a wealth of system information. This includes hardware identification details, operating system specifications, the presence and type of installed antivirus software, and the titles of currently active windows. This reconnaissance phase allows the attackers to tailor their subsequent actions.
The malware exhibits several malicious capabilities, including keylogging to capture user keystrokes, process injection into legitimate system binaries (such as aspnetcompiler.exe) to further mask its presence, and the ability to download and execute additional malicious payloads. The presence of Cyrillic language artifacts and Russian debugging strings within the malware’s code strongly suggests that Russian-speaking threat actors are behind this campaign.
To counter such attacks, organizations are advised to implement rigorous user awareness training, specifically focusing on recognizing and avoiding click-fix tactics and suspicious email attachments. Additionally, continuous monitoring for unusual MSBuild.exe executions originating from non-standard directories is crucial for early detection and prevention.