Hotel malware caught checking in

Less than a week after warning that hotels were being constantly targeted by hackers, Panda Security managed to catch an attack in the act. The attack came in the form of a phishing email to an employee at an unnamed hotel and was, according to a Panda Security press release, captured by its Adaptive Defence 360 security software.

It all starts with a personalised phishing attack

The basic attack targeted a member of staff at the hotel by sending them a phishing email with what appeared to be a Word document attached. The email suggested that this was a booking form completed by a customer which is not an unusual document for any hotel to get via email. What was different about this is that while it looked like a Word document it was really an executable zip file.

When the user clicked on the document it executed a file which displayed a booking form in Word to the hotel staff but behind the scenes it executed a script and ran a DLL file. The adobeUpd.dll filename is a valid Adobe file that has been around for well over a decade. It is also known to have been used by the Ramnit Malware which the European Cyber police attempted to shutdown in February 2015. This version appears to be another variation of a file that most IT departments would consider safe if they saw it running as a process on users computers.

Once installed the file is executed whenever the computer is turned on at which point it attempts to download files from the Internet. On the face of it nothing unusual. In this case however it shows that the attack was crafted to hit a specific hotel. Panda Security realised this when they examined the URL and domain name the hackers were using. While the hotel domain ends in .com the attack comes from a server ending in .ga.

The press release suggests that this slight difference would escape the notice of security teams looking for something different. This is questionable as the use of cybersquatting and creating domains in multiple countries is a long established practice by hackers. For it to slip past a security team there would have to be a process failure.

One of the things the hackers try and download is an image file. That file might arouse little suspicion but embedded in the image is code which is decrypted and run by the hackers. This use of data hidden in an image is otherwise known as steganography and has been making a real comeback both in the hacking community and in TV crime and spy dramas. It’s hard to say whether this is crime imitating art or the other way around. Either way it gets through a lot of security as it is not unusual to see .jpg and other image files marked as not to be scanned.

This is where the story ends from Panda Security. As they detected the attack they were unable to allow it to proceed in order to detect what the hackers were really looking for. What the press release does say is that this type of attack would have avoided traditional anti-virus protection as the attacks are crafted for each victim and therefore unlikely to be listed in a malware signature file.

Conclusion

This move from generic malware to attacks individually targeted to a hotel and delivered via spear phishing is designed to defeat several security measures. However it still relies on individuals clicking on a file in order for it to execute. The use of a domain that is identical to the hotel domain with the exception of the domain location code is relatively easy to block. With the amount of cybersquatting attacks that have been around for years, security teams should have suitable blacklists in place to trap this type of attack.

For anyone who is a frequent traveller using credit cards for hotel stays this attack is yet another wake-up call. Too few people check their credit card statements frequently or change their username/details on hotel sites. There is also a lot more that the industry needs to do in order to educate staff and encrypt data.