A sophisticated malware campaign called PHALTBLYX has emerged, combining social engineering deception with advanced evasion techniques to compromise hospitality sector organizations. <\/p>\n
The attack chain begins with phishing emails impersonating Booking.com, featuring urgent reservation cancellation alerts with large financial charges displayed in euros. <\/p>\n
These messages direct victims to fake Booking.com<\/a> websites that appear visually identical to the legitimate service, exploiting user anxiety about fraudulent transactions.<\/p>\n The attack progresses through a carefully orchestrated series of stages designed to bypass traditional security controls. Once victims click the refresh button on the fake page, their browser displays a full-screen blue screen of death animation. <\/p>\n This simulated crash prompts users to follow on-screen instructions that involve pressing specific keyboard combinations. <\/p>\n Securonix analysts identified<\/a> that the malware silently copies a PowerShell command to the clipboard, which victims unknowingly execute when following the displayed instructions.<\/p>\n Securonix researchers noted that this click-fix social engineering<\/a> method represents a critical evolution in the attack\u2019s delivery mechanism. <\/p>\n The technique relies on manual user execution rather than automated processes, effectively circumventing security controls that would block script execution. <\/p>\n The malicious PowerShell command performs several functions, including opening the legitimate Booking.com admin page as a distraction while downloading an MSBuild project file from remote servers.<\/p>\n The infection mechanism leverages Microsoft\u2019s legitimate MSBuild.exe compiler to execute the downloaded v.proj file, a technique known as living off the land. <\/p>\n This approach allows malware to proxy<\/a> execution through trusted Windows utilities, often bypassing application whitelisting and antivirus detection. <\/p>\n Once executed, the malware disables Windows Defender by adding broad file extension exclusions and specific directory exclusions, ensuring subsequent payloads remain undetected.<\/p>\n The final payload is a customized variant of DCRat<\/a>, a remote access trojan capable of extensive system compromise. The RAT establishes persistence using internet shortcut files placed in the Windows startup folder, disguised as legitimate system utilities. <\/p>\n Upon connection to command and control servers, the malware collects comprehensive system information including hardware identification, operating system details, installed antivirus software, and active window titles.<\/p>\n The malware\u2019s capabilities include keylogging<\/a>, process injection into legitimate system binaries like aspnetcompiler.exe, and downloading additional malicious payloads. <\/p>\n The presence of Cyrillic language artifacts and Russian debugging strings strongly indicates Russian-speaking threat actors. Organizations should implement rigorous user awareness training regarding click-fix tactics and monitor suspicious MSBuild.exe executions originating from non-standard directories to detect and prevent similar attacks.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New ClickFix Attack Uses Fake Windows BSOD Screens to Trick Users into Executing Malicious Code<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Fake](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEige1nJA5vNqXDxHbQ1-5zacClTfqhyP6uZj3y6sHga4qryA00hWtpTtCqzRyId4nQHg4LCvbokuF8UXOm77In-FCscQAF6mLl0sKvATRnBK-hrTYAWRRV5NdOB8WP_1KLP5i6KewSlNXzQzk2VoKmGDjJysMey6ioG85gywhN5qObtcEExL9enNt5SUF8\/s16000\/fake%2520Booking.com%2520website%2520%28Source%2520-%2520Securonix%29.webp?ssl=1\")
![\"Fake](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgyvJ10CMg6a8ai8UZbor2fJ5na6HJo7mBxHCY-Kr7nKVedGW8o6KpWebkMfVsp0IUT0Fo4_pjjVfUY207p0Z7zX6YOGprJlfljdHz6sG8PQ3H5KjUNikD5AgMxULeX3IB7BjtgpftHy86JzX5c4KKFKTgVRi6ldGI14ajITRWqJxl-oL5gDQJ-3P5ApfI\/s16000\/Fake%2520crash%2520screen%2520%28Source%2520-%2520Securonix%29.webp?ssl=1\")
Infection mechanism<\/strong><\/h2>\n
![\"V.proj](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiDR_sE24_JKQy9Mdx3zgMvtNAoIl-s2sFqte3JVlMLAWch696KjD9kCR7GzNG4j2nz6Vo-mls3AP1DoJY5RXog88MM3wcNwSuWdW-1CtoocTvUjwpOd7uc2U9ukelBoctQrzLvJ4AAUWL8jUQjJH2HwR0NsiIKaLbLpO3XAhEjnriwc3dhYQgnMn7rQ5g\/s16000\/V.proj%2520%28Source%2520-%2520Securonix%29.webp?ssl=1\")