Technical Analysis of Suspicious Emails Targeting the Hotel Industry
Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A sophisticated multi-stage malware campaign is targeting the hotel sector through emails disguised as Booking.com notifications. The intrusion chain combines malicious LNK files, PowerShell scripts, and a Node.js-based remote access trojan known as TonRAT. One of the most notable aspects of the operation is its use of The Open Network (TON) API to obtain command-and-control domains dynamically, which makes traditional domain-based blocking less reliable.
Investigation
The investigation uncovered a layered execution flow in which an initial ZIP archive contains an LNK file that launches PowerShell to retrieve a secondary script. That script decrypts a JavaScript payload identified as TonRAT using AES and runs it through a legitimate Node.js runtime downloaded from nodejs.org. Once active, the malware initiates WebSocket-based command-and-control communications using domain information pulled from TON blockchain API requests.
Mitigation
Recommended defenses include restricting PowerShell execution, closely monitoring for unauthorized use of the Node.js runtime (node.exe), and detecting abnormal WebSocket traffic. Organizations should also watch for connections to the TON API, including tonapi.io, and strengthen email filtering to catch spoofed domains, suspicious attachments, and phishing lures aimed at hotel staff.
Response
If compromise is suspected, security teams should isolate the affected endpoint immediately to prevent additional command-and-control traffic and possible data exfiltration. PowerShell operational logs and process execution records should be reviewed for unauthorized node.exe activity. A forensic sweep should also be performed for the known TonRAT JavaScript hashes, along with investigation of any connections to the identified command-and-control infrastructure.
"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef process fill:#ccffcc %% Node Definitions action_phishing["<b>Action</b> – <b id='T1566.002'>T1566.002 Phishing: Spearphishing Link</b><br/>Description: Attackers send emails impersonating Booking.com<br/>containing links to download a malicious ZIP file."] class action_phishing action action_execution["<b id='T1204.002'>T1204.002 User Execution: Malicious File</b><br/>Description: User executes a .lnk file contained within the ZIP archive."] class action_execution action process_cmd["<b id='T1059.003'>T1059.003 Command and Scripting Interpreter: Windows Command Shell</b><br/>Description: Triggered via PowerShell command using Invoke-WebRequest<br/>to download a secondary script."] class process_cmd process malware_script["<b id='T1027'>T1027 Obfuscated Files or Information</b><br/>Description: PowerShell script LE3f0MRT.ps1 uses AES encryption<br/>to decrypt a JavaScript file (TonRAT)."] class malware_script malware action_transfer["<b id='T1105'>T1105 Ingress Tool Transfer</b><br/>Description: Malware downloads a legitimate Node.js runtime<br/>from nodejs.org to execute the payload."] class action_transfer action action_indirect["<b id='T1202'>T1202 Indirect Command Execution</b><br/>Description: Used to maintain persistence and evade detection."] class action_indirect action action_resolution["<b id='T1568'>T1568 Dynamic Resolution</b><br/>Description: Queries the TON API (tonapi.io) to retrieve<br/>the Command and Control C2 domain."] class action_resolution action malware_tonrat["<b id='T1568'>T1568 Command and Control</b><br/>Description: TonRAT establishes communication via WebSocket<br/>using an ECDH handshake for encrypted C2."] class malware_tonrat malware %% Connections action_phishing –>|leads_to| action_execution action_execution –>|triggers| process_cmd process_cmd –>|downloads| malware_script malware_script –>|performs| action_transfer action_transfer –>|enables| action_indirect action_indirect –>|performs| action_resolution action_resolution –>|resolves_C2_for| malware_tonrat malware_tonrat –>|allows| action_indirect "
Attack Flow
Detections
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
Possible Powershell Obfuscation Indicators (via powershell)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Powershell Executing File In Suspicious Directory Using Bypass Execution Policy (via cmdline)
View
NodeJS Binary Executing From Uncommon Location (via cmdline)
View
Windows Defender Preferences Suspicious Changes (via powershell)
View
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
WebSocket C2 Communication Detected via TON API in TonRAT [Windows Network Connection]
View
PowerShell Command for Malicious File Download and Execution [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary aims to establish a WebSocket-based Command and Control (C2) channel. To blend in with legitimate traffic, the malware first queries the
tonapi.ioservice to resolve its C2 infrastructure. Once the “legitimate” API interaction is established, the malware initiates a WebSocket handshake (wss://) to the hardcoded malicious domainzloapobikahy23.bond. This sequence is designed to leverage the reputation of the TON API to mask the subsequent malicious connection. -
Regression Test Script:
# Simulation of TonRAT WebSocket C2 Communication # Step 1: Simulate interaction with the TON API Write-Host "[+] Simulating interaction with tonapi.io..." $api_url = "https://tonapi.io/v2/blockchain/accounts/EQ..." Invoke-WebRequest -Uri $api_url -Method Get -UseBasicParsing # Step 2: Simulate WebSocket connection to the malicious C2 domain # Note: We use a PowerShell client to initiate a WSS request to trigger the 'wss://' and domain logic Write-Host "[+] Simulating WebSocket connection to malicious domain..." $c2_url = "wss://zloapobikahy23.bond/control" # Using a .NET WebSockets client to ensure 'wss://' is present in the telemetry $ws = New-Object System.Net.WebSockets.ClientWebSocket $cts = New-Object System.Threading.CancellationTokenSource $uri = New-Object System.Uri($c2_url) try { $task = $ws.ConnectAsync($uri, $cts.Token) # We don't need a successful connection, just the attempt to generate the log $task.Wait(5000) } catch { Write-Host "[!] Connection failed as expected (domain does not exist), but telemetry should be generated." } finally { $ws.Dispose() } -
Cleanup Commands:
# No persistent artifacts are created by this script, but we clear the console Clear-Host Write-Host "Simulation cleanup complete."