Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant

Key Points:

• Active phishing campaign targeting hotels in Europe and Asia, utilizing photo-themed ZIP files to deploy a Node.js implant known as TonRAT.
• The campaign affects front-desk machines, with potential reputational damage due to the nature of the phishing lures, which reference guest complaints and inspections.
• Recommended actions include thorough remediation of persistence mechanisms by addressing both the RunOnce entry and Node.js Run key, along with monitoring front office systems.

Technical Details: The phishing emails use "Booking Manager (via Calendly)" as a display name and leverage authentication laundering techniques to bypass email security checks. The Node.js implant resolves its C2 domains through the TON blockchain API and communicates over non-standard ports.

MITRE ATT&CK Techniques:

• T1566.001 - Phishing: Spearphishing Attachment (Initial Access)
• T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys (Persistence)

IOCs Mentioned:

• Non-standard ports: 8443, 8445, 8453, 5555, 56001 to 56003
• Domain types: .cfd domain behind Cloudflare
• Malware family: TonRAT