Fraudsters launched an attack campaign that distributed phishing emails designed to target the hotel industry in North America.In summer 2019, researchers at 360 Security Center
discovered that bad actors had sent attack emails to financial personnel working at various hotels throughout North America. These emails informed recipients that their organizations had not paid for certain services. They then instructed these individuals to open the attached document and review what they claimed was an invoice.
A copy of the phishing email. (Source: 360 Security Center)Good morning,The attached are outstanding in our system.Would it be possible to validate when the payment will be issued whenever you have a chance?In the meantime if you have any questions, feel free to contact us.Thank you and have a great day!Account/InvoicingThe attachment that came with each of these phishing emails was a zip archive. It contained extracted shortcuts carrying a PowerShell script. Once executed, that script downloaded and executed http[:]//bit[dot]do/e2VHR, which concealed the location http[:]//13.67[dot]107[dot]73:80/amtq/out-441441271[dot]ps1. This process dropped a releaser trojan for the purpose of running psd.exe, an executable which used multiple layers of obfuscation to ultimately load NetWiredRC.Security researchers have been tracking NetWiredRC since at least 2013. Some versions
of the threat enable digital attackers to gain unauthorized access of an infected computer. In the attack detected by 360 Security Center, however, the threat allowed bad actors to perform malicious actions on an infected computer such as simulating mouse and keyboard clicks as well as downloading and running executables.This attack campaign highlights the ..