Full Report
Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect hospitality workers with various malware, including infostealers and RATs. [...]
Analysis Summary
# Incident Report: ClickFix Phishing Campaign Delivering Stealers and RATs
## Executive Summary
This incident involves a highly deceptive phishing campaign impersonating Booking.com, attributed to threat group Storm-1865, designed to trick users into executing malicious commands via the Windows Run dialog. The primary impact involves the deployment of various information-stealing malware and Remote Access Trojans (RATs), such as XWorm, Lumma stealer, and VenomRAT, leading to potential financial data and credential theft across targeted organizations. Response recommendations focus heavily on user education regarding suspicious urgent calls to action and independent verification of email links.
## Incident Details
- Discovery Date: Not explicitly stated, but findings published following analysis (Date of Microsoft report/publication is March 13, 2025, based on linked articles).
- Incident Date: Ongoing campaign execution when reported.
- Affected Organization: Unspecified target organizations/users receiving the phishing emails.
- Sector: General users/Any sector susceptible to credential theft via travel-related phishing.
- Geography: Not specified, likely global given the nature of the phishing campaign.
## Timeline of Events
### Initial Access
- Date/Time: Campaign active during reporting period.
- Vector: Email phishing campaign impersonating Booking.com alerts regarding account status or pending actions.
- Details: Emails prompt the user to perform a "human verification" step. This step involves copying a malicious `mshta.exe` command to the Windows clipboard and instructing the user (who only sees keyboard shortcuts, not the content) to paste it into the Windows Run dialog and execute it.
### Lateral Movement
- Details: The immediate execution of the initial payload (`mshta.exe` running a malicious HTML file) downloads and installs secondary payloads (RATs and Stealers). The report implies persistent compromise rather than broad internal lateral movement, focusing primarily on beaconing and establishing remote access/data collection on the initial endpoint.
### Data Exfiltration/Impact
- Details: The deployed malware (XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, NetSupport RAT) is primarily focused on stealing financial data and user credentials for fraudulent use.
### Detection & Response
- Detection: Incident details stem from an analysis published by Microsoft.
- Response Actions: Not explicitly detailed for a single organization, but general recommendations for defense are provided based on threat intelligence analysis.
## Attack Methodology
- Initial Access: Phishing via emails impersonating Booking.com, exploiting user trust and lack of technical knowledge regarding clipboard contents.
- Persistence: Established via the execution of downloaded RATs and stealer malware on the endpoint.
- Privilege Escalation: Not specified, but implied that the execution via `mshta.exe` on the user's desktop gains appropriate local execution rights.
- Defense Evasion: Exploiting the fact that users likely do not see the *actual* command content being copied to the clipboard when instructed to paste.
- Credential Access: Directly performed by deployed malware like Lumma Stealer and Danabot.
- Discovery: Likely performed by capabilities within the deployed RATs (e.g., reconnaissance, system info gathering).
- Lateral Movement: Not specified as a primary phase, focus is on endpoint compromise.
- Collection: Financial data and general credentials targeted by the installed malware suite.
- Exfiltration: Handled by the specific RAT or Stealer payloads deployed (e.g., XWorm, VenomRAT).
- Impact: Financial fraud and account takeover resulting from credential theft.
## Impact Assessment
- Financial: High potential for financial loss or fraud due to credential theft.
- Data Breach: Credentials and financial data are the primary targets.
- Operational: Potential operational disruption on compromised endpoints due to persistent remote access and background data collection.
- Reputational: Negative impact on affected users/organizations due to the security breakdown.
## Indicators of Compromise
- Network Indicators: Undisclosed/Defanged (Payloads download from attacker servers).
- File Indicators: Malicious file executed by `mshta.exe` (A malicious HTML file).
- Behavioral Indicators: User executing commands pasted from the clipboard via the Windows Run dialog in response to an external prompt; execution of `mshta.exe` downloading payloads such as PowerShell, JavaScript, or PE content.
## Response Actions
- Containment measures: Not specified for a specific victim.
- Eradication steps: Not specified for a specific victim.
- Recovery actions: Not specified for a specific victim.
## Lessons Learned
- User temptation via urgent, tailored phishing lures (Booking.com theme) is highly effective.
- UI/UX design choices (like not showing clipboard contents in the Run dialog prompt) can be exploited by sophisticated social engineering.
- The use of native Windows utilities like `mshta.exe` to execute remote HTML content remains a powerful execution chain.
## Recommendations
- **Email Verification:** Always confirm the legitimacy of the sender's email address, particularly for urgent messages concerning account status.
- **Independent Verification:** Verify Booking.com account status or alerts by navigating directly to the official platform website, not by clicking links or following instructions within the suspicious email.
- **User Training:** Educate users, especially those less technical, about the dangers of pasting unsolicited commands into the Run dialog, emphasizing that they should never execute code they cannot visually inspect.