Thanks to the work of FortiGuard Labs it was possible to identify a new and insidious campaign phishing.
This uses emails with fake hotel reservations as the main vector to lure potential victims, then offering them a Malicious PDF that contains malware MrAnon Stealer.
Cybercriminals, through a cunning strategy of social engineeringthey pass themselves off as a company that manages hotel reservations. The email sent usually has a text that refers to an unspecified request for room availability for December. In the actual message, there is data from a fictitious booking, complete with a downloadable PDF attachment.
It is useless to confirm that, by opening the document, a destructive process is started that affects the computer used. Specifically, the process includes .NET executable filesfollowed by script PowerShell and from other phases. The culmination of the infection comes with the activation of MrAnon Stealer, a infostelaer based on language Python.
MrAnon Stealer alert: cryptocurrencies (and not only) in the sights of malware
The malware in question operates discreetly, easily overcoming the most widespread detection systems. MrAnon Stealer allows those who manage it to obtain screenshot from the targeted computer and perform other invasive actions such as retrieve the IP address and steal sensitive data from various software. Among the main objectives of the infostealer, however, are i cryptocurrency wallet.
By disguising the connection to the affected system as legitimate, cybercriminals therefore have total freedom of action, drawing on, among other things, the browser, notoriously full of valuable personal information. Once stolen, the “loot” is compressed, protected by a password and uploaded to a website in the hands of cybercriminals. To monitor the activities of MrAnon Stealer, they use a channel Telegram through a token bot.
This campaign is not the first to target hotels and similar establishments. Just a few days ago, in fact, even an important platform like Booking was the victim of a similar action.