LTS Secure Warning: Attacker Targeting Hotel Industry In North America Via Phishing To Deploy NetWiredRC Trojan

Attackers are conducting series of phishing attacks containing malicious attachment, against finance department of hotel chains across North America to drop powerful trojan “NetWiredRC“.

 

Technical Details

The first phase of the attack being by sending emails with the malicious attachment, to the finance department of the target hotels. The email states that there are outstanding bills against part of the company’s service, which can be viewed in the attached Zip file.

Once the victim opens the zip file, a shortcut file gets extracted on the device. The shortcut icon is disguised as a bill, so that it doesn’t raise any suspicion. Upon clicking the file, the trojan gets downloaded from the following URLhttp[:]//13.67.107.73:80/amtq/out-441441271.ps1. After which the powershell script – Out-441441271.ps1 is being utilized to release .NET Trojan psd.exe.

 

Impact

  • Disk & system information enumeration along with directory listing.
  • Capture screenshots.
  • Ability to create process to achieve necessary goal.
  • Clone mouse and keyboard inputs.
  • Can find, read, write, delete, and copy files.
  • Steal sensitive/confidential information like login credentials of banking sites, cookies, etc.

 

Recommended Actions

  • Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.
  • Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a malspam.
  • Always update your anti-virus software with the latest releases.
  • Periodically run “full system scan” on your endpoints.
  • Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.