Security experts at Kaspersky have published a report on a targeted cybercrime malware campaign, tracked as RevengeHotels, that hit hotels, hostels, hospitality and tourism companies. According to the experts, the threat actor has been active since 2015, but its activity peaked in 2019.
The group mainly operated in Brazil, experts confirmed that dozens of hotels are victims of the group. Kaspersky reported victims in eight states in Brazil, other attacks took place in Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand, and Turkey.
The cybercrime gang aimed at stealing card data of guests and travelers that were managed by hotels, as well as credit card data received from popular online travel agencies such as Booking.com.
The attackers carried out spear-phishing campaigns using
The phishing messages are well-written, attackers used
“The attached file, Reserva Advogados Associados.docx (
“In the RevengeHotels campaign, the downloaded files are .NET binaries protected with the Yoda Obfuscator. After unpacking them, the code is recognizable as the commercial RAT RevengeRAT”
Researchers noticed an additional module called ScreenBooking that was developed by the threat actors to steal credit card data by monitoring whether the user is browsing the web page.
The files downloaded in the attacks observed in 2016 were divided into two modules, a backdoor and a module to capture
Kaspersky also tracked another group behind a campaign tracked as ProCC that used a backdoor that is more customized than that used by RevengeHotels. ProCC hackers developed their backdoor from scratch, the malicious code is able to collect data from the clipboard and printer spooler, and capture screenshots.
Crooks also focused their attack on hotel management systems to capture credentials and payment card data. Crooks are maintaining remote access to front desks to generate additional income as a service.
“If you want to be a savvy and safe traveler, it’s highly recommended to use a virtual payment card for reservations made via
|[adrotate banner=”9″]||[adrotate banner=”12″]|