Skip to content ↓ | Skip to navigation ↓

Fraudsters launched an attack campaign that distributed phishing emails designed to target the hotel industry in North America.

In summer 2019, researchers at 360 Security Center discovered that bad actors had sent attack emails to financial personnel working at various hotels throughout North America. These emails informed recipients that their organizations had not paid for certain services. They then instructed these individuals to open the attached document and review what they claimed was an invoice.

A copy of the phishing email. (Source: 360 Security Center)

Good morning,

The attached are outstanding in our system.

Would it be possible to validate when the payment will be issued whenever you have a chance?

In the meantime if you have any questions, feel free to contact us.

Thank you and have a great day!

Account/Invoicing

The attachment that came with each of these phishing emails was a zip archive. It contained extracted shortcuts carrying a PowerShell script. Once executed, that script downloaded and executed http[:]//bit[dot]do/e2VHR, which concealed the location http[:]//13.67[dot]107[dot]73:80/amtq/out-441441271[dot]ps1. This process dropped a releaser trojan for the purpose of running psd.exe, an executable which used multiple layers of obfuscation to ultimately load NetWiredRC.

Security researchers have been tracking NetWiredRC since at least 2013. Some versions of the threat enable digital attackers to gain unauthorized access of an infected computer. In the attack detected by 360 Security Center, however, the threat allowed bad actors to perform malicious actions on an infected computer such as simulating mouse and keyboard clicks as well as downloading and running executables.

This attack campaign highlights the importance of organizations being able to defend themselves against phishing attacks. Towards that end, they should invest in a security awareness training program that educates their employees about some of the most common types of phishing campaigns. They should also invest in a solution that’s capable of defending them against known malware and zero-day attacks.