A new social engineering campaign is targeting the European hospitality sector by using deceptive Blue Screen of Death (BSOD) screens to trick users into installing malware. The attacks begin with phishing emails that impersonate Booking.com, notifying a hotel of a significant reservation cancellation and refund. Clicking the link leads to a convincing fake Booking.com website, which then triggers a full-screen replica of a Windows crash screen.
This fraudulent BSOD display instructs the user to open the Windows Run dialog and paste a pre-copied command, a technique known as a "ClickFix" attack. The provided command executes a PowerShell script that downloads and compiles a malicious .NET project in the background using the legitimate Windows MSBuild compiler. Simultaneously, a decoy Booking.com admin page opens to distract the victim.
The payload establishes persistence, adds Windows Defender exclusions, and elevates privileges before deploying the DCRAT remote access trojan. This malware provides attackers with full remote control, including keylogging and reverse shell capabilities, and was observed installing a cryptocurrency miner. This campaign demonstrates how sophisticated social engineering can bypass user caution by mimicking critical system errors.
Read more...