Threat Research

Finding Booking.com themed ClickFix domains using Validin

Validin

This article discusses how investigators used Validin UI to trace related infrastructure linked to a malicious ClickFix campaign, which included a phishing site impersonating Booking.com. The investigation revealed numerous domains, IPs, and indicators of compromise connected to the campaign, with the AsyncRAT Trojan being a significant payload identified. Affected: ClickFix campaign, Booking.com themed phishing domains, AsyncRAT Trojan

Keypoints :

  • A tweet about a phishing site impersonating Booking.com triggered the investigation.
  • Validin was utilized to uncover related domains and IPs associated with the ClickFix campaign.
  • The investigation focused on finding domains with ‘Booking.com’ as their title, resulting in 236 suspicious domains.
  • Many identified domains were aged and registered on Dynadot, indicating a potential preemptive registration by Booking.com.
  • Live scans verified the connection of identified domains to malicious activities, including hosting AsyncRAT.
  • Indicators of compromise were generated, including suspicious domains, IP addresses, and hashes for further investigation.
  • Utilizing lookalike and favicon hash searches helped discover additional related infrastructure.
  • The article emphasizes the importance and effectiveness of using Validin for threat research.

MITRE Techniques :

  • Initial Investigation (ID T1087): Verification of existing domains and observed connections.
  • Domain Generation Algorithm (ID T1071): Patterns in the domains resembling legitimate domains for phishing strategy.
  • Credential Dumping (ID T1003): AsyncRAT’s behavior includes potential credential theft on infected devices.
  • Command and Control (ID T1071): Malicious executables downloaded to establish communication with remote servers.
  • Phishing (ID T1566): Use of counterfeit domains to lure victims.

Indicator of Compromise :

  • [Domain] bookviewmain24[.]com
  • [IP Address] 92.255.85[.]66
  • [IP Address] 92.255.85[.]207
  • [URL] https://cpthevrf[.]click/F44GTGHOVB0snx
  • [URL] http://92.255.85[.]207/ret.exe

Full Story: https://www.validin.com/blog/finding_booking_themed_clickfix/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint