Full Report
Microsoft has shed light on an ongoing phishing campaign that targeted the hospitality sector by impersonating online travel agency Booking.com using an increasingly popular social engineering technique called ClickFix to deliver credential-stealing malware. The activity, the tech giant said, started in December 2024 and operates with the end goal of conducting financial fraud and theft. It's
Analysis Summary
# Incident Report: Storm-1865 ClickFix Phishing Campaign Targeting Hospitality Sector
## Executive Summary
Microsoft is tracking an ongoing phishing campaign, dubbed Storm-1865, that began in December 2024 and targets hospitality organizations globally. Attackers leverage the advanced social engineering technique "ClickFix," impersonating Booking.com to trick victims into executing credential-stealing malware via deceptive CAPTCHA pages. The primary goal of the campaign is financial fraud and data theft, utilizing common commodity malware like XWorm and Lumma Stealer.
## Incident Details
- **Discovery Date:** Reported by Microsoft starting March 13, 2025 (Campaign active since December 2024).
- **Incident Date:** Ongoing, started December 2024.
- **Affected Organization:** Individuals within the hospitality sector.
- **Sector:** Hospitality/Online Travel Agency (OTA) users.
- **Geography:** North America, Oceania, South and Southeast Asia, and various regions across Europe.
## Timeline of Events
### Initial Access
- **Date/Time:** Started December 2024.
- **Vector:** Malicious email impersonating Booking.com, focusing on negative guest reviews needing feedback.
- **Details:** Emails contain a link or a PDF with a link that directs the victim to a fake CAPTCHA verification page overlaying a partially visible Booking.com background.
### Lateral Movement
- Not explicitly detailed for this specific campaign phase, but the deployed payload includes RATs and stealers capable of extensive system compromise (XWorm, VenomRAT, AsyncRAT).
### Data Exfiltration/Impact
- **Goal:** Financial fraud and theft of data accessed via compromised credentials.
- **Payloads Deployed:** XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT.
### Detection & Response
- **How it was discovered:** Detected and reported by Microsoft security researchers.
- **Response actions taken:** Attribution to threat actor Storm-1865 and public disclosure of the TTPs to aid defense across the industry.
## Attack Methodology
- **Initial Access:** Phishing emails impersonating Booking.com regarding negative reviews.
- **Persistence:** Not specified, likely achieved via installed RATs/information stealers.
- **Privilege Escalation:** Not explicitly detailed, though execution via `mshta.exe` suggests leveraging existing user permissions.
- **Defense Evasion:** Utilizing the ClickFix technique, which relies on user interaction (copy/paste/launch command) to bypass automated security controls.
- **Credential Access:** Primary objective, achieved via deployed information stealers (e.g., Lumma Stealer, Danabot).
- **Discovery:** Not detailed, but typical of deployed RATs/Stealers post-infection.
- **Lateral Movement:** Implied via RAT deployment capabilities.
- **Collection:** Stealing credentials and potentially payment data (based on past actor behavior).
- **Exfiltration:** Not explicitly detailed, but standard for credential stealing operations.
- **Impact:** Financial fraud resulting from access to compromised accounts.
## Impact Assessment
- **Financial:** High potential for financial fraud and theft due to credential compromise.
- **Data Breach:** Credential data, potentially including payment information and internal organizational data.
- **Operational:** Disruption to hospitality organizations handling guest bookings and reservations.
- **Reputational:** Damage to the trust associated with users interacting with Booking.com and targeted companies.
## Indicators of Compromise
- **Network indicators:** N/A (Defanged IOCs not provided in the source material).
- **File indicators:** Payloads include commodity malware: XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, NetSupport RAT, SMOKESABER (downloader in related campaigns).
- **Behavioral indicators:** User executing keyboard shortcuts (Win+R), copying text from a web UI, and natively executing a command via the victim's clipboard using `mshta.exe`.
## Response Actions
- **Containment measures:** Not detailed in the source, but would involve isolating infected hosts and blocking C2 traffic.
- **Eradication steps:** Removal of dropped malware payloads and credential exfiltration tools.
- **Recovery actions:** Password resets for all potentially compromised accounts across affected hospitality organizations.
## Lessons Learned
- The ClickFix social engineering technique is highly effective as it shifts the execution burden onto the user, often bypassing traditional email and malware defenses that scan attachments/links directly.
- Threat actors (cybercriminals and APTs alike, e.g., APT28, MuddyWater) are rapidly adopting this low-barrier-to-entry TTP.
- Trust in popular platforms (like Booking.com) is being heavily abused for initial access.
## Recommendations
- Enhance security awareness training specifically focusing on unusual requests to execute commands via the run window (or perceived CAPTCHA fixes).
- Implement application control or endpoint detection and response (EDR) solutions capable of monitoring and restricting suspicious usage of native binaries like `mshta.exe` for multi-stage execution.
- Review email gateway filters for heuristic improvements targeting social engineering cues that suggest manipulation rather than simple malicious links (e.g., instructions within the body requesting manual command execution).