Phishing Campaign Targets Japanese Hotels with Multi-Stage Malware

A phishing campaign impersonating Booking.com has targeted hotel operators in Japan, utilizing emails with malicious attachments. The attack employs a multi-stage malware process involving a ZIP archive containing a malicious LNK file that executes PowerShell scripts. This leads to the deployment of TonRAT, a Node.js-based remote access trojan. The malware establishes command-and-control communications via a WebSocket endpoint, dynamically obtained through the TON API, complicating traditional defense measures. Security recommendations include blocking suspicious links, monitoring PowerShell activity, and isolating affected endpoints. The investigation provides file hashes and command-and-control domains for further analysis. Organizations are advised to enhance email filtering and restrict execution of untrusted scripts.

Key Points: • Phishing emails disguised as Booking.com notifications target Japanese hotels. • The attack utilizes a multi-stage process involving PowerShell and TonRAT malware. • Defenders should monitor for unusual PowerShell activity and restrict execution of LNK files.