Threat Actors Target The Travel Industry And Deliver AgentTesla To Travelers

A recent malware campaign impersonating Booking.com was seen distributing a malicious email attachment to deliver a remote access trojan. The malicious PDF file masqueraded as a refund statement that lead to a chain of malicious activities using embedded scripts and URLs that were planted to download additional stages of the attack. Recipients were greeted a fake pop-up containing embedded code that prompted users to initiate the download process which included an obfuscated JavaScript and a PowerShell script The PowerShell script used evasion techniques disabled security features modified the system registry and ultimately downloaded and executed a .DLL file associated with the AgentTesla. This malware was used to perform process injection and data exfiltration targeting personal and system information that was sent to attackers private Telegram channel.