FortiGuard Labs recently uncovered a sophisticated email phishing campaign that exploits fake hotel booking information to trick victims into downloading a malicious PDF. In this campaign, the attackers send phishing emails, posing as a company inquiring about room availability in December.
The emails contain fraudulent hotel booking details for the holiday season, accompanied by a malicious PDF file that has a hidden downloader link. The PDF file, when opened, downloads a .NET executable file created with PowerGUI.
This executable file runs a PowerShell script, which then fetches the final payload – a malware known as MrAnon Stealer. MrAnon Stealer is a Python-based information stealer that is compressed with cx-Freeze to avoid detection. It is designed to steal various types of sensitive information from victims, including credentials, system information, browser sessions, and cryptocurrency extensions.
The attackers use deceptive tactics throughout the infection chain. The initial phishing email appears as a legitimate inquiry about hotel room availability, and the malicious PDF file is disguised as a hotel booking document. The .NET executable and PowerShell script further disguise the malicious activities, making it challenging for users and security systems to detect the threat.
The telemetry data suggests that Germany was the primary target of this phishing campaign, as the downloader URL was mostly queried in that region. The attackers demonstrated increased activity and aggressiveness in November 2023, as reflected in the rise in queries for the malicious URL during that month. This discovery highlights the evolving tactics of cybercriminals who leverage social engineering and sophisticated malware to target individuals and organizations.
It underscores the importance of user awareness, email security measures, and robust endpoint protection to defend against such phishing campaigns and prevent the compromise of sensitive data. Organizations should remain vigilant, regularly update their security protocols, and educate users to recognize and report suspicious emails to mitigate the risks associated with these types of cyber threats.
Referral link
