- Russian-linked cybercriminals are running a new ClickFix campaign against European hotels and hospitality firms
- Victims receive fake booking emails leading to a bogus “Blue Screen of Death” that prompts them to run malicious scripts
- The malware disables Windows Defender, steals credentials, and clipboard data
Russian cybercriminals are trying to deploy backdoors and infostealers on people’s computers through a new ClickFix campaign - but this one comes with a sinister twist.
ClickFix attacks are usually centered around pop-ups - the victim gets an error message, and at the same time is offered a fix. That fix, be it to run a command, or download a piece of software, is actually when the victims install the malware themselves.
This campaign, focusing on European hotels and the wider hospitality industry, is just a little different, Securonix researchers said.
Fake BSOD
It starts the usual way - the victim would get an email stating that something is wrong with their latest booking, and that they need to move urgently or they will lose their reservation/be charged extra or something to that effect. The email is designed to look as if it’s coming from a popular booking service and comes with a button to “See Details” - but that’s where the scam happens.
Clicking the button first displays the message that “loading is taking too long”, after which a fake Blue Screen of Death appears (BSOD). The idea of a bricked computer, at a sensitive time when money and reservations are on the line, is strategically placed to make the victim panic, and try to rush to fix things. As usual with ClickFix attacks, the BSOD window will also come with a solution, and in this case, it’s to run a script in the Run program.
This script downloads the malware and other malicious tools, disables Windows Defender, and displays the real booking website to throw the victim off. There doesn’t seem to be a specific name for the malware, but the researchers are saying it works as an infostealer, grabbing passwords, clipboard data, and other information.
For Securonix, the campaign is “a sophisticated evolution in commodity malware delivery.”
“The psychological manipulation, combined with the abuse of trusted system binaries like `MSBuild.exe`, allows the infection to establish a foothold deep within the victim’s system before traditional defenses can react,” the researchers said.
“The technical complexity of the infection chain reveals a clear intent to evade detection and maintain long-term persistence.”
Via The Record
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
