Executive Summary

A sustained malware campaign is actively targeting hospitality organizations across Europe using fraudulent booking-related emails as the initial infection vector. The emails impersonate guests or booking platforms and include malicious attachments designed to deploy DCRat (DarkCrystal RAT).

The campaign demonstrates high operational realism, abusing the daily workflows of hotel front desks, reservations teams, and administrative staff. Once executed, the malware grants attackers full remote access to infected systems, allowing credential theft, surveillance, lateral movement, and long-term persistence.

This activity represents a serious risk to guest data, internal booking systems, and enterprise credentials, with a strong likelihood of secondary payload deployment such as ransomware or data exfiltration.

---

Threat Overview

Attribute	Details
Malware	DCRat (DarkCrystal RAT)
Initial Access	Phishing emails with fake booking attachments
Target Sector	Hospitality (Hotels, Resorts, Travel Lodging)
Target Region	Europe (multi-country)
Objective	Persistent access, credential theft, reconnaissance
Sophistication	Medium–High
Monetization	Access resale, data theft, ransomware staging

---

Initial Access – Phishing & Social Engineering

Email Themes Observed

Attackers craft emails that blend seamlessly into hospitality operations. Common pretexts include:

• New reservation request
• Booking confirmation requiring review
• Cancellation or modification notice
• Guest invoice or payment discrepancy
• Group booking inquiries

Common Subject Line Patterns

• New Booking Request – Urgent
• Reservation Details for Review
• Guest Invoice Attached
• Booking Confirmation #<random>
• Payment Issue – Please Check

Social Engineering Factors

• Exploits expectation of attachments
• Targets time-sensitive operational roles
• Uses polite, professional language
• Often localized by region or language
• Minimal spelling or grammar errors

---

Malicious Attachments & Infection Chain

Attachment Formats

• .zip (most common)
• .iso
• .img
• .rar
• .7z
• Password-protected archives

Payload Contents

Inside the archive, one or more of the following are found:

• Windows shortcut file (.lnk)
• JavaScript file (.js)
• Batch script (.bat)
• HTML application (.hta)
• Executable disguised as a document

Execution Chain

1. Victim opens attachment
2. Shortcut or script executes silently
3. Loader decodes or downloads payload
4. DCRat executable is written to disk
5. Persistence is established
6. Command-and-control communication begins

---

Malware Analysis – DCRat (DarkCrystal RAT)

Overview

DCRat is a commercially distributed remote access trojan, commonly used by criminal groups. It is modular, actively updated, and capable of adapting post-infection.

Core Capabilities

• Remote shell execution
• Full desktop control
• Keystroke logging
• Browser credential theft
• File system access
• Process enumeration
• Webcam and microphone control
• Clipboard monitoring
• Screenshot capture
• Plugin-based extensibility

---

Persistence & Defense Evasion

Persistence Techniques

• Registry Run keys
• Scheduled tasks
• Startup folder placement
• Hidden directory execution
• Masquerading as legitimate software

Defense Evasion

• Obfuscated loaders
• Randomized file names
• Encrypted C2 traffic
• Living-off-the-land techniques
• Frequent recompilation to evade signatures

---

Command & Control (C2) Characteristics

• TCP-based or HTTP(S) beaconing
• Non-standard ports (often high-numbered)
• Encrypted payloads
• Fixed beacon intervals
• Dynamic configuration updates
• Fallback C2 endpoints

---

Expanded Indicators of Compromise (IOCs)

File Names (Observed & Pattern-Based)

• Booking_Details[.]lnk
• Reservation_Request[.]zip
• Guest_Invoice[.]iso
• Booking_Confirmation[.]img
• Invoice_Details[.]js
• Payment_Information[.]hta
• Reservation_Form[.]bat
• Booking_Document[.]exe
• <random>_booking[.]exe
• <random>_invoice[.]exe

File Extensions to Watch

• .lnk
• .iso
• .img
• .js
• .hta
• .bat
• .exe with document icons

---

File System Locations

• %AppData%\Roaming\<random>\<random>[.]exe
• %LocalAppData%\Temp\<random>[.]exe
• %ProgramData%\<random>\<random>[.]exe
• %UserProfile%\Downloads\<random>[.]exe
• %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\<random>[.]exe

---

Registry Keys

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<random>
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<random>
HKCU\Software\<random>\<random>

---

Scheduled Tasks

• Randomized task names
• Tasks executing from user-writable directories
• Tasks set to run on logon or every few minutes

---

Network Indicators (Behavioral)

• Outbound connections shortly after file execution
• Repeated beaconing every 30–120 seconds
• Encrypted outbound traffic to unknown hosts
• Communication outside business hours
• No associated browser activity

---

Impact Assessment

Potentially Compromised Assets

• Guest personal information
• Booking and reservation systems
• Payment-related metadata
• Internal credentials
• Domain user accounts
• Shared front-desk workstations

Business Impact

• Data protection violations
• Regulatory exposure (GDPR)
• Loss of guest trust
• Ransomware staging risk
• Long-term network compromise

---

Splunk Detection Rules

Rule 1: Suspicious Booking-Themed Attachments

index=email
| search attachment_extension IN ("zip","iso","img","rar","7z")
| search attachment_name="*booking*" OR attachment_name="*reservation*" OR attachment_name="*invoice*"
| stats count by sender, recipient, attachment_name, attachment_extension

---

Rule 2: Execution from User-Writable Directories

index=endpoint
| search process_path="*\\AppData\\*" OR process_path="*\\Temp\\*" OR process_path="*\\ProgramData\\*"
| search process_extension="exe"
| stats count by user, host, process_name, process_path

---

Rule 3: Shortcut File Execution

index=endpoint
| search process_name="*.lnk"
| stats count by user, host, parent_process, process_path

---

Rule 4: JavaScript or HTA Execution

index=endpoint
| search process_name IN ("wscript.exe","cscript.exe","mshta.exe")
| stats count by user, host, parent_process, command_line

---

Rule 5: Suspicious Scheduled Task Creation

index=endpoint
| search event_type="scheduled_task_created"
| search task_path="*AppData*" OR task_path="*ProgramData*"
| stats count by user, host, task_name, task_path

---

Rule 6: DCRat-Like Beaconing Behavior

index=network
| search direction=outbound
| stats count, min(_time) as first_seen, max(_time) as last_seen by src_ip, dest_ip, dest_port
| where count > 10 AND (last_seen - first_seen) < 3600

---

Rule 7: Suspicious Registry Persistence

index=endpoint
| search registry_path="*\\Run\\*"
| search registry_value="*AppData*" OR registry_value="*ProgramData*"
| stats count by user, host, registry_path, registry_value

---

Detection & Response Challenges

• Attachments appear operationally legitimate
• Malware is frequently recompiled
• Encryption obscures network traffic
• Front-desk systems often lack EDR
• Shared workstations complicate attribution

---

Defensive Recommendations

• Block .lnk, .iso, .hta, .js from email
• Disable execution from user-writable paths
• Enforce least-privilege access
• Deploy EDR on all endpoints
• Monitor outbound traffic patterns
• Conduct targeted phishing awareness training
• Segment booking systems from corporate networks

---

Final Takeaway

This campaign highlights how operational realism combined with mature malware can successfully compromise organizations that rely heavily on email-based workflows. The hospitality sector remains a prime target due to its volume of external communication, sensitive guest data, and often under-secured endpoints.

Without improved detection, segmentation, and staff awareness, infections caused by this campaign can persist undetected for extended periods, enabling more destructive follow-on attacks.

---