The hospitality industry continues to face cyber threats, with luxury hotels becoming the latest target. This comes in the wake of the cyberattacks that hit MGM Grand and Caesars. Attackers are now focusing on these high-end hotels, using an active phishing campaign to spread information-stealing malware. This campaign appears to be using social engineering tactics similar to those that led to the recent attacks on the resort-casinos.
The phishing campaign was discovered by researchers at Cofense Intelligence. The attackers use reconnaissance emails and instant messages to trick employees at luxury resorts and hotel chains into responding. According to a blog post by Cofense published on September 26, once the threat actors receive a response to their initial email, they follow up with phishing messages. These messages are designed to bypass email security analysis and secure email gateways (SEGs), ensuring that the messages reach their intended targets. The tactics used include trusted cloud domains in the emails, password-protected archives, and large executable files that can disrupt analysis.
Cofense cyber threat intelligence analyst Dylan Duncan wrote in the post, "From the reconnaissance email all the way to the malicious payload, this campaign and its infection chain are both highly sophisticated and well-thought-out by the threat actors." He noted a significant increase in the campaign through August and September, with 85% of the phishing emails observed in the campaign sent in the last 60 days.
The threat actors initiate contact by sending an email to luxury hospitality chains and services using what they believe is a company email address. The first messages do not contain malicious content but are used to verify that the target email account is active. If the recipient responds, the attackers send a follow-up phishing email with a similar lure to the initial email, lending legitimacy to the campaign.
The phishing emails contain an infection URL hosted on a trusted cloud domain, such as Google Drive, Dropbox, or DiscordApp. Victims are led to download a password-protected archive that contains malicious files. According to Cofense, 58% of the links were Google Drive files, and 49% of the archives were .ZIP files.
The ultimate aim of the campaign is to steal employees' login information for various applications used on the corporate system, and in some cases, deliver secondary payloads. The malware deployed by the campaign comes from five known malware families — RedLine Stealer, Vidar Stealer, Stealc, Lumma Stealer, and Spidey Bot. Cofense noted that the threat actors behind RedLine and Vidar have recently pivoted to ransomware using similar tactics.
Duncan suggests that the most practical defense against this campaign is to educate employees on general phishing concepts and inform them of the existence of malicious campaigns like this one. On a technical level, organizations should block downloads from sites being abused by the campaign that their business does not typically support.