The "I Paid Twice" campaign represents a paradigm shift in cybercriminal operations, moving from broad phishing to a targeted, multi-faceted attack on the digital trust chain within the hospitality industry. This report provides a forensic-level dissection of the attack lifecycle, from initial social engineering to final monetization.
The sophisticated interplay of the ClickFix social engineering technique, the PureRAT malware-as-a-service (MaaS) platform, and a specialized criminal underground economy, this Threatfeed illuminates the technical nuances that make this campaign both highly effective and resilient.
Attack Ecosystem
The campaign is not a singular attack but a criminal enterprise with distinct, specialized roles. It systematically targets hotels to compromise their Booking.com accounts, subsequently using that access to defraud customers. The technical execution reveals a high degree of professionalism, leveraging known techniques in novel combinations.
- Primary Vector: Spear-phishing against hotel staff.
- Key Malware: PureRAT, a .NET-based Remote Access Trojan.
- Monetization Method: Business Email Compromise (BEC)-style fraud against hotel guests.
- Ecosystem Support: Underground markets for credentials, malware distribution, and verification tools.
Dissection of the Attack Chain
The attack can be segmented into four distinct, interconnected phases, as illustrated below, forming a complete cyber kill chain.
flowchart TD
subgraph A [Phase 1: Initial Compromise]
direction LR
A1[Spear-phishing Email] --> A2[Redirection Chain TDS] --> A3[ClickFix Lure]
end
subgraph B [Phase 2: Malware Deployment]
direction LR
B1[PowerShell Execution] --> B2[Reconnaissance] --> B3[Persistence &<br>DLL Side-Loading]
end
subgraph C [Phase 3: Persistence & C2]
C1[PureRAT MaaS] --> C2[C2 Communication]
end
subgraph D [Phase 4: Monetization]
direction LR
D1[Credential Theft] --> D2[Guest Fraud]
end
A --> B --> C --> D
Initial Compromise & ClickFix Lure
This phase relies entirely on sophisticated social engineering to induce a user-initiated code execution.
- Weaponized Communication:
- Source: Emails originate from previously compromised, legitimate email accounts of other hotels, bypassing reputation-based filters.
- Lure Content: Impersonates Booking.com with subjects like "New guest message about reservation – Tracking code: [Unique ID]". This creates a sense of urgency and legitimacy.
- Traffic Distribution System (TDS):
- The link within the email does not point directly to the payload. It leads to a redirection chain. Analysis shows the initial domain uses JavaScript to check the `window.self !== window.top` condition, forcing a navigation if loaded in an iframe. This anti-analysis technique helps evade sandboxed environments.
- This TDS infrastructure, potentially a paid service, obscures the final payload URL and provides resilience against takedowns.
- The ClickFix Technique (Core Innovation):
- The final landing page is a highly convincing clone of a Booking.com login portal, complete with branding.
- A fake CAPTCHA is presented. The critical element is a JavaScript function that automatically copies a malicious PowerShell command to the victim's clipboard upon loading the page.
- The user is then instructed (via on-screen text) to press `Win + R`, paste the command, and press Enter. This technique is highly effective because it:
- Bypasses Email Filters: No malicious attachment is sent.
- Exploits User Trust: The request appears to be a legitimate troubleshooting step.
- Achieves Code Execution: It directly leverages the user's authority to run system commands.
Malware Deployment & Persistence
The execution of the pasted command initiates an automated, fileless deployment sequence.
- Scripted Payload Retrieval:
- The initial PowerShell command is a download cradle that fetches a second, more complex PowerShell script from the attacker's server.
- This secondary script performs reconnaissance, collecting system data (Hostname, Username, OS, AV product) and exfiltrating it to the C2 server.
- Payload Delivery and Composition:
- The script then downloads a ZIP archive containing:
- One legitimate, signed executable (e.g., `libcef.dll` or `AudioSession.exe`).
- Three malicious DLLs.
- The files are extracted to a user-writable directory, typically `%AppData%\Local`.
- Persistence and Execution Mechanism:
- Persistence: Established via a Run Registry Key and a shortcut in the Startup folder.
- DLL Side-Loading: The legitimate executable is vulnerable to DLL hijacking. When executed, it attempts to load a required DLL from its local directory. Instead, it loads the malicious DLL placed there by the attacker.
- Fileless Loading: The malicious DLL acts as a loader, which then reflectively loads the PureRAT payload directly into memory. This avoids writing the primary malware binary to disk, evading signature-based detection.
Command and Control with PureRAT
PureRAT is a fully-featured MaaS platform, providing the attackers with deep and persistent access.
- Core Capabilities: The RAT provides a comprehensive suite of spying and control functions, including:
- Remote Desktop Control (VNC-like)
- Keylogging and File System Management
- Webcam and Microphone Capture
- Traffic Proxying (enabling attackers to use the victim's network)
- Data Exfiltration
- Modular Architecture: PureRAT uses a plugin system. The core agent can be instructed by the C2 server to download and execute additional modules, such as:
- `PluginRemoteDesktop`
- `PluginExecuting`
- `PluginFileManager`
This modularity makes the malware highly adaptable.
- Communication and Obfuscation:
- C2 Protocol: Communication with the C2 server (e.g., `45[.]142[.]166[.]73:56001`) is conducted over encrypted TLS sockets, blending with normal web traffic.
- Fingerprinting: Upon connection, the RAT transmits a detailed system fingerprint to the C2.
- Obfuscation: The PureRAT payload is protected by .NET Reactor, a commercial obfuscator that complicates static analysis and reverse engineering.
The "I Paid Twice" Fraud
With persistent access, the attackers shift to their primary financial goal.
- Credential Harvesting: Using keyloggers, memory dumpers, or simply browsing stolen files, attackers harvest credentials for the hotel's Booking.com extranet portal.
- The Fraudulent Act:
- Attackers access the portal using stolen cookies or credentials to view genuine, upcoming reservations.
- They impersonate the hotel and contact guests via WhatsApp or email, often just before check-in.
- The message claims a "problem with the bank" or a "security issue" and urges the guest to confirm their payment by wiring funds to a new, attacker-controlled bank account.
- The use of legitimate guest and reservation details makes the scam highly convincing, leading to victims paying twice.
Underlying Criminal Infrastructure
The campaign's efficiency stems from a professionalized cybercrime ecosystem.
- Credential Markets: Stolen Booking.com credentials are sold on underground forums like LolzTeam. Listings are detailed, including the number of views, last login, and price (typically $50-$500).
- Verification Tools: "Log checkers" are sold as services (e.g., ~$40) to automatically verify the validity of stolen credentials through proxies, ensuring they are valuable before purchase.
- Malware Distribution: The initial infection is potentially carried out by specialized actors known as "traffers" who are paid for successful installations.
A Multi-Layered Strategy
Defense requires a focus on the specific techniques used at each stage of the attack.
Table 1: MITRE ATT&CK Mapping and Mitigations
| Phase | Tactic | Technique (ID) | Mitigation Strategy |
|---|
| Initial Access | Phishing [T1566] | Spear-phishing Link [T1566.002] | User Training: Drill the "Never copy-paste & run commands" rule. Use email security that rewrites/checks URLs in real-time. |
| Execution | Execution [T1059] | PowerShell [T1059.001] | Restrict PowerShell: Constrain language mode. Log ScriptBlock logging. Use AMSI. |
| Persistence | Persistence [T1547] | Registry Run Keys [T1547.001] |
Proactive Hunting Tips:
- Hunt for ClickFix: Search for PowerShell commands with parameters like `-win normal -enc` (a base64 encoded command) in command-line logs.
- Hunt for PureRAT: Look for network connections on ports 56001-56003 and processes with names like `AudioSession.exe` making suspicious network calls.
- Monitor for Persistence: Audit Run keys and Startup folder contents for unexpected entries.
The "I Paid Twice" campaign is a potent reminder that modern cyber threats are complex, service-driven businesses. Its technical sophistication lies not in zero-day exploits, but in the masterful combination of social engineering ("ClickFix"), robust malware (PureRAT), and a specialized criminal economy. Defense is challenging but achievable through a layered security posture that emphasizes user awareness, strict application control, robust endpoint detection and response, and enforcement of security policies like MFA. Continuous threat intelligence regarding the evolving TTPs of such actors is paramount for organizations within the targeted sectors to protect their assets and, crucially, their customers' trust.