Dreaming of a trip to sun-kissed Thailand for your holidays? Cyber crooks are dreaming about stealing your sensitive data as you book your ideal vacation – using remote-code execution tactics and fake travel websites to get inside your machine.
Cyber analysts at Zscaler ThreatLabz learned of the trick, which uses a facsimile of the authentic Thailand Pass website to con users into clicking on a malicious link that then releases its payload – the AsyncRAT trojan that works around typical protection such as Avast, AVG, or Malwarebytes.
“If any of those services is found, the script modifies the execution flow of the malware to get around the antivirus, and downloads the appropriate files in order to do so,” said Zscaler, describing AsyncRAT as “a remote trojan that can be used to monitor, control, and steal sensitive data.”
The payload is delivered once the victim clicks on the malicious URL, which then displays a fake Thailand Pass registration page in HTML. Once the unwary user opens that another file – identified in the Zscaler report as “qr_thailand_pass.vbs” – is loaded on to the targeted machine to begin malware activity.
Moreover, the malware is also designed to avoid detection once it has installed itself on a device.
“The payload will also check for Anti-VM and Anti-debugging techniques to evade detection,” said Zscaler. “It checks whether the downloaded malware payload is running in the host or virtual machine, and also uses anti-debugging techniques to hide its actual behavior.”
Once it has bypassed all the victim’s defenses, AsyncRAT steals networking information from the infected machine before sending it to “invoice-update[.]myiphost[.]com” – a command-and-control server presumably operated by the cybercriminals behind the scam.
Zscaler warned that the campaign it detailed in its original report is not the only one of its kind.
“We have seen several other Thailand Pass organization spam templates that directly deliver the file that leads to the same AsyncRAT malware,” it said.
The real Thailand Pass has issued an advisory note on its official website warning travelers about the malicious spoofing campaigns.
More from Cybernews:
Subscribe to our newsletter