This attack is performed by sending spear phishing emails to the victims, masquerading as a hotel reservation form that, if opened and macros are enabled, installs a malware in the machine’s victim.
Why should Fancy bear do this? According to FireEye and other security firms, Sofacy is a cyberespionage group and a good tool to get info about people (possibly businessmen and politicians) hosted in important hotels, is to deceive them to install a spyware with a Command and Control that monitors the actions of all the victims.
Figure 1 – Screen of Word dropper.
The above figure shows an example of the weaponized document used by hackers as an attachment in spear phishing emails. The document contains a payload achievable when macro is enabled. In fact, the macro is a Visual Basic script used to decode the malicious payload and to create a series of files, according to the following scheme:
Figure 2 – Files’ creation and execution scheme
The file “mvtband.dat” is the core of the malware that contains a C2C client, which tries to connect to servers, “mvtband.net” and “mvband.net” in order to send the info gathered about the victim’s host and receive new commands to execute on it. In particular, the malware contacts these C&C servers with POST request on a random path. The body contains some info, among them the list of the executing processes, info about system settings, browser preferences, encrypted using its own algorithm. Moreover, from our advanced analysis, we discovered that Hospitality Malware takes screenshots of the machine that most likely it sends to the C2C together with other info. But, nowadays, these servers are blacklisted so we can’t analyze all the complete behavior of Hospitality Malware.
You can download the full ZLAB Malware Analysis Report at the following URL:
About the author: Antonio Pirozzi
Principal Malware Scientist and Senior Threat Researcher for CSE CybSec Enterprise spa
Actually, he holds more than 10 Infosec International Certification, from SANS, EC-Council and Department of Homeland Security.
His experience goes beyond the classical Computer Security landscape, he worked on numerous projects on GSM Security, Critical Infrastructure Security, Blockchain Malware, composition malware, malware evasion.
Luigi Martire is graduated in Computer Engineering at the University of Sannio. He’s part of University of Sannio Software Security Lab (ISWAT lab) and participated in some cyber security projects, among them “DoApp – Denial Of App”. Nowadays, he’s also Malware Analyst and Threat Researcher for Z-Lab, the malware lab of CSE CybSec Enterprise spa.
Antonio Farina is graduated in Computer Engineering at the University of Sannio. He’s part of University of Sannio Software Security Lab (ISWAT lab) and participated in some cyber security projects, among them “DoApp – Denial Of App”. Nowadays, he’s also Malware Analyst and Threat Researcher for Z-Lab, the malware lab of CSE CybSec Enterprise spa.
(Security Affairs – hospitality malware, Fancy Bear)