RevengeHotels: cybercrime targeting hotel front desks worldwide

[harlan4096]

RevengeHotels is a targeted cybercrime malware campaign against hotels, hostels, hospitality and tourism companies, mainly, but not exclusively, located in Brazil. We have confirmed more than 20 hotels that are victims of the group, located in eight states in Brazil, but also in other countries such as Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. The goal of the campaign is to capture credit card data from guests and travelers stored in hotel systems, as well as credit card data received from popular online travel agencies (OTAs) such as Booking.com.

The main attack vector is via email with crafted Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customized versions of RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT and other custom malware such as ProCC in the victim’s machine. The group has been active since 2015, but increased its attacks in 2019.

In our research, we were also able to track two groups targeting the hospitality sector, using separate but similar infrastructure, tools and techniques. PaloAlto has already written about one of them. We named the first group RevengeHotels, and the second ProCC. These groups use a lot of social engineering in their attacks, asking for a quote from what appears to be a government entity or private company wanting to make a reservation for a large number of people. Their infrastructure also relies on the use of dynamic DNS services pointing to commercial hosting and self-hosted servers. They also sell credentials from the affected systems, allowing other cybercriminals to have remote access to hotel front desks infected by the campaign.

We monitored the activities of these groups and the new malware they are creating for over a year. With a high degree of confidence, we can confirm that at least two distinct groups are focused on attacking this sector; there is also a third group, though it is unclear if its focus is solely on this sector or if carries out other types of attacks.

Not the quotation you’re expecting

One of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies. The emails are well written, with an abundance of detail. They explain why the company has chosen to book that particular hotel. By checking the sender information, it’s possible to determine whether the company actually exists. However, there is a small difference between the domain used to send the email and the real one.

This spear-phishing message, written in Portuguese, has a malicious file attached misusing the name of a real attorney office, while the domain sender of the message was registered one day before, using a typo-squatting domain. The group goes further in its social engineering effort: to convince the hotel personnel about the legitimacy of their request, a copy of the National Registry of Legal Entities card (CNPJ) is attached to the quotation.

The attached file, Reserva Advogados Associados.docx (Attorneys Associates Reservation.docx), is a malicious Word file that drops a remote OLE object via template injection to execute macro code. The macro code inside the remote OLE document contains PowerShell commands that download and execute the final payload.

In the RevengeHotels campaign, the downloaded files are .NET binaries protected with the Yoda Obfuscator. After unpacking them, the code is recognizable as the commercial RAT RevengeRAT. An additional module written by the group called ScreenBooking is used to capture credit card data. It monitors whether the user is browsing the web page. In the initial versions, back in 2016, the downloaded files from RevengeHotels campaigns were divided into two modules: a backdoor and a module to capture screenshots. Recently we noticed that these modules had been merged into a single backdoor module able to collect data from clipboard and capture screenshots.

In this example, the webpage that the attacker is monitoring is booking.com (more specifically, the page containing the card details). The code is specifically looking for data in Portuguese and English, allowing the attackers to steal credit card data from web pages written in these languages.

In the ProCC campaigns, the downloaded files are Delphi binaries. The backdoor installed in the machine is more customized than that used by RevengeHotels: it’s developed from scratch and is able to collect data from the clipboard and printer spooler, and capture screenshots. Because the personnel in charge of confirming reservations usually need to pull credit card data from OTA websites, it’s possible to collect card numbers by monitoring the clipboard and the documents sent to the printer.

A bad guy’s concierge

According to the relevant underground forums and messaging groups, these criminals also infect front desk machines in order to capture credentials from the hotel administration software; they can then steal credit card details from it too. Some criminals also sell remote access to these systems, acting as a concierge for other cybercriminals by giving them permanent access to steal new data by themselves.

Some Brazilian criminals tout credit card data extracted from a hotel’s system as high quality and reliable because it was extracted from a trusted source, i.e., a hotel administration system.
...

Continue Reading