Security researchers at Kaspersky have published a new report detailing a cybercrime malware operation, dubbed RevengeHotels, aimed at hotels, hostels, hospitality and tourism companies. The list of victims includes more than 20 hotels located in Brazil, Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. The campaign's goal is to steal card data of guests and travelers that are managed by hotels, as well as credit card data received from popular online travel agencies such as Booking.com.

The researchers tracked two groups targeting the hospitality sector. One of them was dubbed RevengeHotels and the other – ProCC. While threat actors leverage separate but similar infrastructure, tools and techniques, they both heavily rely on social engineering to conduct their attacks.

In observed campaign, the attackers used spear-phishing emails with weaponized Word, Excel or PDF documents attached. In some of the cases the attackers exploited CVE-2017-0199 in order to drop customized versions of RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT and other custom malware such as ProCC, on the target machine.

According to the Kaspersky’s team, the spear-phishing messages were well written and detailed. The attackers also used typo-squatted domains to impersonate real companies, attaching to the messages convincingly looking legal documents.

“In the RevengeHotels campaign, the downloaded files are .NET binaries protected with the Yoda Obfuscator. After unpacking them, the code is recognizable as the commercial RAT RevengeRAT, ” the researchers wrote.

The experts also found additional module called ScreenBooking designed to capture credit card data by monitoring whether the user is browsing the web page. The files downloaded in the attacks observed in 2016 were divided into two modules, a backdoor and a module to capture screenshots. Over time, these modules had been merged into a single backdoor module that is able to gather data from clipboard and capture screenshots.

The ProCC threat actor uses a backdoor that is more customized than that used by RevengeHotels. It was developed from scratch and has the number of functions, including the ability to collect data from the clipboard and printer spooler, and capture screenshots.

“Because the personnel in charge of confirming reservations usually need to pull credit card data from OTA websites, it’s possible to collect card numbers by monitoring the clipboard and the documents sent to the printer,” Kaspersky explained in its report.

“RevengeHotels is a campaign that has been active since at least 2015, revealing different groups using traditional RAT malware to infect businesses in the hospitality sector. While there is a marked interest in Brazilian victims, our telemetry shows that their reach has extended to other countries in Latin America and beyond,” the write-up concludes.