A sophisticated new malware campaign is actively targeting the hospitality industry by leveraging deceptive Blue Screen of Death (BSOD) warnings and legitimate Microsoft build tools to bypass security defenses and deploy the potent DCRat remote access trojan. This operation, identified as PHALT#BLYX, utilizes convincing phishing emails impersonating reservation cancellations to trick employees into executing malicious code, posing a significant threat to businesses reliant on online booking platforms.
The attack chain begins with employees of hospitality businesses receiving seemingly official emails disguised as reservation alerts from platforms like Booking[.]com. These phishing messages are designed to induce panic by highlighting alarming charges exceeding €1,000, urging recipients to click a “See Details” link for verification. Instead of redirecting to legitimate booking information, victims are led to meticulously crafted fake websites that closely mimic the authentic Booking.com interface, including brand colors, fonts, and logos.
Multi-Stage Infection Process and Defense Evasion Tactics
Once on the fraudulent web page, victims are presented with a simulated browser loading error, swiftly followed by a convincing fake Blue Screen of Death display. This digital “glitch” then prompts users to press Windows key + R, paste clipboard content, and hit Enter. This deceptive technique, known as ClickFix, manipulates users into manually executing PowerShell commands. These commands are designed to download malicious project files and subsequently launch them using MSBuild.exe, a legitimate and trusted Microsoft compilation tool. Researchers at Securonix have been tracking this campaign, noting its evolution from simpler HTML application delivery to the current intricate MSBuild-based infection chain, indicative of a strategic shift towards “Living off the Land” techniques to evade traditional antivirus detection.
The malicious PowerShell dropper operates in a multi-stage process, executing several critical operations simultaneously. It opens a legitimate Booking.com admin page in the background as a decoy while actively searching the system for MSBuild.exe. It then downloads a project file, typically named v.proj, from attacker-controlled infrastructure and launches it via the trusted Microsoft tool. The inherent Microsoft signature of MSBuild.exe often allows these executions to pass unnoticed by application whitelisting and endpoint security solutions. This reliance on legitimate system utilities is a key component of the DCRat campaign’s defense evasion strategy.
The v.proj file contains embedded PowerShell scripts with a crucial function: to disable Windows Defender protections. It achieves this by adding exclusions for the entire ProgramData directory and specific file extensions, including .exe, .ps1, and .proj. This preparatory step ensures that the final malicious payload can be downloaded and stored on the victim’s system without triggering quarantine alerts by the security software. Following this, the malware attempts to gain elevated privileges through what Securonix describes as “UAC spam tactics,” bombarding users with repetitive pop-ups demanding administrator rights in an attempt to wear down their resistance.
After establishing persistence by creating Internet Shortcut files in the Startup folder, the malware deploys staxs.exe, a heavily obfuscated variant of the DCRat trojan. This payload utilizes AES-256 encryption with PBKDF2 key derivation and establishes connections to command-and-control (C2) servers at domains such as asj77.com, asj88.com, and asj99.com, operating over port 3535. To further mask its activities, DCRat injects itself into legitimate system processes like aspnet_compiler.exe through a technique called process hollowing, effectively hiding its malicious operations behind trusted Windows binaries.
DCRat Capabilities and Data Exfiltration
The deployed DCRat trojan is equipped with a wide range of malicious capabilities. These include keylogging to capture user keystrokes, remote desktop access allowing operators to control the compromised system, process injection for stealthy execution, and the ability to download and execute secondary payloads. Notably, DCRat can deploy cryptocurrency miners, further monetizing the compromise for attackers. Before deploying these additional tools, the malware meticulously collects comprehensive system fingerprints. This includes hardware identifiers, installed antivirus software, active window titles, and current domain membership status. This intelligence is then transmitted back to the operators, enabling them to assess the victim’s value and tailor subsequent attacks, which could include credential theft, lateral movement across the network, or the deployment of ransomware.
The presence of Russian language strings within the malware’s code suggests a potential connection to Russian-speaking threat groups, who are known to widely distribute DCRat on underground forums. The sophistication of the PHALT#BLYX campaign, combining social engineering with advanced technical evasion methods, highlights the persistent and evolving threat posed by remote access trojans to businesses of all sizes, particularly those operating in sectors with high volumes of online transactions and customer data.
The ongoing evolution of these attack vectors suggests that organizations should prioritize employee training on phishing awareness and ensure their endpoint security solutions are up-to-date and configured to detect behaviors associated with “Living off the Land” techniques. Continuous monitoring of network traffic for unusual connections to known malicious domains, like those identified in this campaign, is also crucial. The reliance on legitimate build tools like MSBuild.exe presents a challenge for traditional signature-based detection, indicating a need for more behavioral analysis and anomaly detection capabilities within security frameworks.