A new social engineering campaign leverages a Fake BSOD in browser tabs to deceive hotel staff into installing a remote access Trojan.
Campaign Mechanics
Labeled PHALT#BLYX, this campaign begins with phishing emails masquerading as travel booking cancellations. The emails lure victims into a staged login process that ultimately displays a full-screen, fake Blue Screen of Death (BSOD) on their browser.
- The BSOD occurs within a browser, a red flag as real BSODs are OS-level.
- Victims are prompted to run commands via "ClickFix," mimicking a quick fix for the error.
- The commands utilize Windows tools like MSBuild and PowerShell, which avoid detection by traditional antivirus programs.
- The payload is an obfuscated version of DCRat, enabling remote control, keylogging, and more.
Target and Techniques
The operation primarily targets European hotels and the hospitality sector, using euros and front-desk-specific content. Instructions are tailored around busy holiday seasons, increasing urgency for the personnel at the receiving end.
- Red flags: a browser-hosted BSOD, command prompts via Run/PowerShell, pre-error CAPTCHA steps, and unexpected booking alerts.
- Measures include training reservation teams about browser command risks and bolstering email defenses with standards like DMARC/DKIM/SPF.
Mitigation and Response
Organizations are advised to train staff not to execute commands from a browser and to strengthen systems against such attacks. IT teams should focus on application control, limiting execution of MSBuild and PowerShell, and employing PowerShell Constrained Language Mode for non-admin users.
- Immediate actions for potential victims include closing the browser window (Alt+F4), disconnecting the network, and calling IT support.
- Complete endpoint scans and checks on startup items and credentials are recommended.
This campaign highlights the danger of social engineering tactics focusing on human trust, rather than exploiting zero-day software vulnerabilities.
