Strengthening Cybersecurity: A Multi-Layered Approach to Prevent Advanced Threats in Travel
by Ankit Anubhav, Nat Sakdasak
The travel industry thrives on trust — whether between hotels, Online Travel Agency (OTAs), or service providers. But with that trust comes a unique set of cybersecurity challenges. Attackers know that trusted communication channels are an ideal target for spreading malware and launching phishing attacks. Agoda has observed one such campaign continuously attacking hotels as early as 2022, which we internally referred to as “BoredFluff”.
Initially we thought this to be a one-off case of malware sent to a property. However, over time, we started seeing multiple properties getting attacked with the same phishing lure and attack indicators involved, which helped us to profile this campaign.
Understanding the Threat: Exploiting Trusted Channels
One of the most concerning trends we observed involved attackers impersonating guests to trick hotel staff into clicking on malicious links. We have observed the attackers using the playbook as shown below.
The attacker starts by sending an email to the target property, impersonating themselves as a distressed guest. Inside the email contains a URL from filetransfer[.]io or fluffy[.]cc which downloads an encrypted archive containing the malware executable file upon clicking. This executable is a Loader malware called GuLoader.
The purpose of Guloader is to download the Remcos remote access trojan (RAT) malware code hosted on Google Drive and inject the malicious code into a legitimate system process. The injected process is then used for extracting the victim credentials and then exfiltrate to the attackers, allowing the attacker to gain access to all the accounts used by the hotel.
From there, the malware could spread further, with the attacker sending additional phishing emails — now disguised as legitimate invoices or communications from the compromised hotel. This created a dangerous cycle where each compromised account became a new launching point for the attack.
Attack Evolution and Common Tactics
Over the two years we monitored BoredFluff, certain core tactics remained consistent, even as the campaign evolved. The emails used by attackers frequently featured:
- Consistent Theme: Attackers consistently used fake customer requests, often asking recipients to view a document or respond urgently. These requests typically included an image resembling a PDF thumbnail, making the email appear legitimate and luring recipients into downloading the malicious file.
- Email Body: The email body usually contained an image that looked like a PDF or another official document, hyperlinked to an encrypted archive hosted on external file-sharing platforms like fluffy[.]cc or filetransfer[.]io. The password for the archive was often included directly in the email, adding an extra layer of legitimacy to trick recipients into downloading and opening the file.
- Fake PDF Image with Hyperlink: These phishing emails frequently featured an image mimicking a PDF thumbnail, which was hyperlinked to a malware-hosting service. The archives inside typically contained GuLoader executables, which would load and execute Remcos RAT, or in rare cases, Nanocore RAT.
- BCC Usage and Urgent Themes: The attackers leveraged compromised email accounts from hotels or tourism agencies, sending phishing emails with a false sense of urgency, such as requests for immediate action. By using BCC, the attacker concealed the victim list from the recipients, making it harder for email filters to detect mass phishing attempts. However, there was an instance where the hackers mistakenly used CC instead of BCC, exposing the victim list, which will be discussed later.
Advanced Malware Techniques: GuLoader and Fileless Persistence
A key component of the BoredFluff campaign was the use of GuLoader, a loader that allowed attackers to deploy their payloads while avoiding traditional file-based detection methods. GuLoader is known for executing malicious code directly in memory, making it harder to detect and stop through conventional security tools.
NSIS Installer Distribution:
GuLoader frequently used the Nullsoft Scriptable Install System (NSIS), an open-source tool that allowed the attackers to control installation behavior and extend its functionality by adding Dynamic Link Libraries (DLLs). Attackers employed NSIS plugins, such as system.dllto execute the deobfuscated shellcode via callback injection (using the CallWindowProcW() function).
In this process, GuLoader dropped an encrypted shellcode which was then decrypted using an NSIS script. Attackers utilized the callback injection technique via the CallWindowProcW() function to execute the deobfuscated shellcode.
This method allowed the attackers to:
- Utilize nested junk data folders to hide the payload.
- Extend installation functionality through DLL injection.
XOR Hammering:
To evade command-line detection, GuLoader used XOR hammering, where XOR instructions were executed one character at a time. This resulted in hundreds of small events on behavioral logs, none of which contained the full malicious code, making it harder for detection systems to identify the threat.
Fileless Persistence:
GuLoader also employed fileless persistence. The malicious payload was written as Unicode text into the HKCU registry key, bypassing file-based detection. The Windows command shell was used to execute the payload by creating a run entry in the Windows Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
This tactic ensured that the malware was executed upon system startup, hiding within the registry and avoiding traditional file system scans. By not dropping any files on the disk, the malware was able to persist without leaving an obvious trail for forensic investigation.
Insights from Threat Actor’s Oversight
Despite the complexity of the attack, an oversight during its execution provided valuable insights that allowed us to better profile the group.
In one instance, target email addresses were placed in the CC field instead of the BCC field. This revealed the target list, which was entirely focused on the travel sector.
These recurring patterns made it clear that this was not an isolated incident but part of a well-organized campaign specifically targeting hotels. This raised a critical question for us: How does one defend against threats that initially seem like routine communications from trusted partners?
Building a Multi-Layered Defense
- Mitigating Password-Protected Uncommon Archive Formats via policies
Attackers frequently used archive formats like .lzh and .bz2 to deliver malware, knowing these uncommon file types could evade traditional email filters. Additionally, these files were often password-protected, complicating detection even further.
Blocking access to cloud services like filetransfer[.]io and fluffy[.]cc, which are commonly used for malware distribution, can help prevent these files from reaching the network. If blocking these services is impractical, setting security filters to flag and block uncommon archive formats — like, .lzh, and .bz2 from these domains — can reduce the threat.
2. Preventing the disabling of AMSI (Antimalware Scan Interface)
In some cases, BoredFluff employed obfuscated PowerShell scripts to disable Windows AMSI, a security feature in Windows that helps detect and block malicious scripts before they are executed. Once AMSI was disabled, malware could run undetected by traditional antivirus programs.
Up-to-date endpoint security solutions with tamper protection enabled are critical for countering this. While legacy antivirus programs may miss such sophisticated attacks, modern solutions that focus on behavior-based detection can identify anomalies, such as unauthorized system modifications or attempts to disable security features, in real time.
3. Account Takeover Detection
Once hotel email accounts were compromised, attackers used these trusted accounts to send additional phishing emails, making it difficult to detect the malicious intent behind these communications.
Email security solutions with account takeover detection can mitigate this. These solutions monitor for unusual behaviors, such as logins from unexpected locations or devices, and flag suspicious activity even if it originates from a trusted email account. This allows organizations to detect and prevent further spread of the attack through compromised accounts. Additionally, limiting overly permissive allowlists for trusted hotels can help prevent attacks from previously legitimate email addresses.
4. Phishing Simulations and Targeted Training
The BoredFluff campaign often relied on social engineering, with phishing emails designed to look like urgent guest requests or invoices. These tactics aimed to exploit human error, relying on recipients to click on malicious links or attachments.
Running phishing simulation exercises is an effective way to strengthen awareness. By mimicking real-world attacks and using fake hotel/guest lures, organizations can test their employees’ ability to spot phishing attempts. Those who fail the simulations can receive targeted training to help them avoid similar attacks in the future.
5. Avoiding Re-Infection
Even after detecting and neutralizing an attack, simply changing the password of a compromised email account isn’t enough to prevent re-infection. If the malware remains on the system, attackers can quickly regain access.
To fully prevent re-infection, it’s essential to ensure complete malware removal from the system. Persistence mechanisms, such as those hidden in the system registry, need to be identified and eliminated. Enabling two-factor authentication (2FA) on email accounts and platforms provides an additional layer of security, ensuring that even if credentials are compromised again, attackers cannot easily regain access.
Conclusion
Defending against increasingly sophisticated cyber threats requires a proactive, multi-layered approach, including continuous system monitoring and vigilance for signs of compromise. A key part of this strategy is identifying Indicators of Compromise (IOCs) — specific signals that can help detect malicious activity before it escalates into a larger issue.
Indicators of Compromise (IOCs)
To enhance your organization’s defenses, perform sweeps for the following IOCs:
Files
SHA256
3a72bf0084a8d1bee7dac2c1a3d03afa7b028832866b39b61b3e819c213dab8e
aed65c4ad07b5b08a9bef4416904c5fa923e0fda422e3efdfe01f35ba8e57223
0181bd62cfc9082c02e1e1679d3e72407147e1d7a2fd3974ac3d04a0a308942a
6c52c6e970be360dcd1bd6b662876dbfbd9d45c66a5e6f86bca90fe9e100d2a3
a7348e0917c0dc0d51cbec792600228aff396ce35639305ffd0e63187a71946f
c0cecbdc27536e372d612ff7634673178bdc2295ba59c3dcddd6f44f285e1d2f
3f4628e53113b20e860fdeb1e36f1090443cd532612c69c03a723bc19b390761
24977198b47394768b4ce62a2f88adf86efc842d29402130a826869be752ccf8
a7e9fbef84a3e14d5e801f2004d75a47032df8fbb9da9dd86071098eeaf6a2d4
31f7a607a411a147325548535f7c6b76e9b73fe2c7768cd49be5e9f178df60b9
1c23f6f664fc2e20b3254c38ed0a94a228bd2bd4386f07977cba992170b17ecb
423604ac30c7f4cbb83564770f1ad5d708c2de3db93880841247f6cada0e2d10
59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4
db0ac78d12212f753acddd61f4d93a503cbcaa3fbd319d56599b42f8a27f99a7
58e9a0f9db0f3c6a74f21fcb3d2f35d1d3b7e3d1a4439495745a00aa9d37b809
d511a37b2f8d6746f1ac95137e6b62db7a1ffa14e5287c34a6d8eadc63375de6
82801d63eca2fdd570d211cdffe08f8aeb3ead46d51dec316ca36f389fe29d8b
2abba169b2f3be758c20b3d23dd9fac351a2c6aed1caa97e32ccbbb888e83c80
0277cb06bb5793a642e367a8a48e4dc3d443264d848c977f4ce7056456ee1998
1c209faf4225b577f9a66817eaaa68ac9a6ae6bcc412dd01bb52e6a110ef558c
aadc9e70ac22f8de6ac9251758c8a478d27876fca45ff72a9e3b1043159b8aa5
58abbbdfb6855a339ee9e8897e2b5252cd0f1b91d75ae98b361754c30626ac63
1ee34ddc2ba60e1dca5355cfbc8bf9009403221ccf567f4f94a606ce31962e2e
a593642bd36f9cb78c16dc8ddb7e4d477ad30fe3d9ecbf5f4bf253f86537d2b2
61525ce5427b94706eccd9c5841ee331af06a88abe7c92a7ef72e61f8ef2f0f5
30aa7480b2f645619b69c019c0d1e8a635e843cd913b123abe6325aa0cbb5f98
5902d27d84d312be2bdfb8f9309bfa50e1f59b8bf0273ab2f96e5c0f46e51d39
4d9cdd7526f05343fda35aca3e0e6939abed8a037a0a871ce9ccd0e69a3741f2
8de51f065764c5adb842556ae9950789ccf9c12b0c7f573d74316a9af856f284
18b1abba90cf4a74b7216b91f02febb1c8694113f5ddc3507fd35b66253bcb83
c2882a42e9ad87ef5260d3299307dae39af71853c75b44441c0dec497bc5c175
e689963b4319dd5d5249ac1c629af5951f4e90db8040bf7ee33492e54c2c6487
C2 Domains
- abdul2u.ddns[.]net
- akinbo.ddns[.]net
- december2nd.ddns[.]net
- atelilian99.ddns[.]net
- futuristic11.ddns[.]net
- discoveryvipshinjiru2law.ooguy[.]com
- 2meonline.ddnsgeek[.]com
- funkytothebone.giize[.]com
- www.sicoslanderfamilydog.gleeze[.]com
- sicoslanderfamilydog.gleeze[.]com
- kennyremcosbelintourismedleonline.gleeze[.]com
- kennynanobelintourismedleonline.dumb1[.]com
- kiwtreyy456rwty.duckdns[.]org
- futurist40.duckdns[.]org
- lockerrollercooller.mywire[.]org
- e-businessloader.mywire[.]org
- futurist2.ddns[.]net
- futurist40.ddns[.]net
- www.2meonline.ddnsgeek[.]com
- www.futurist40.duckdns[.]org
- www.e-businessloader.mywire[.]org
- mexbar.duckdns[.]org
- peurnick24.bumbleshrimp[.]com
- slucasanderson.ddns[.]net
C2 IP Addresses
194.147.140[.]186
103.212.81[.]158
212.87.204[.]153
2.59.254[.]160
103.212.81[.]158
Detection Rules
Additionally, the following Sigma behavioral detection rules can be used to detect the malware activity used by BoredFluff threat actor.
title: BoredFluff Guloader - Suspicious Processes Connecting to Google Drive
id: f81e3b71-4450-4406-88b1-a6dfc0989c4e
status: test
description: Injected legitimate processes connecting to Google Drive to download encrypted next stage payload.
license: MIT
author: Agoda Security Research
date: 2024/08/01
modified: 2024/08/01
references:
- https://agoda.com
tags:
- attack.t1102
falsepositives:
- Unknown
level: medium
logsource:
product: windows
category: network_connection
detection:
selection:
DestinationHostname: 'drive.google.com'
Image|contains:
- 'caspol.exe'
- '\ielowutil.exe'
- 'ieinstal.exe'
condition: selection
title: BoredFluff Guloader - PowerShell Obfuscation Via Hexadecimal XOR
id: 9c5a214d-b871-4002-9fb9-614441b3b697
status: test
description: Detects PowerShell process using Bitwise Exclusive OR Switch.
license: MIT
author: Agoda Security Research
date: 2024/08/01
modified: 2024/08/01
references:
- https://agoda.com
tags:
- attack.t1027
falsepositives:
- Unknown
level: low
logsource:
product: windows
category: process_creation
detection:
selection_process:
- Image|endswith: '\powershell.exe'
- OriginalFileName: 'powershell.exe'
selection_command:
CommandLine|contains: ' -bxor'
condition: all of selection_*
title: BoredFluff Remcos - DAT File Dropped
id: 02c9816f-a572-4b06-aa49-7d82b7672a42
status: test
description: Detects a suspicious DAT file dropped by Remcos malware in the folder path with default settings.
license: MIT
author: Agoda Security Research
date: 2024/08/01
modified: 2024/08/01
references:
- https://agoda.com
tags:
- attack.t1074
falsepositives:
- Unknown
level: high
logsource:
service: sysmon
product: windows
detection:
selection:
EventID: 11
TargetFilename|contains|all:
- 'remcos'
- '\*.dat'
condition: selection
title: BoredFluff Guloader - Fileless persistence
id: 194da45b-d591-4228-b852-fa55caf1b229
status: test
description: Detects the fileless persistence in registry Run Key.
license: MIT
author: Agoda Security Research
date: 2024/08/01
modified: 2024/08/01
references:
- https://agoda.com
tags:
- attack.t1547
falsepositives:
- Unknown
level: medium
logsource:
product: windows
category: registry_set
detection:
selection_key:
TargetObject|contains: '\CurrentVersion\Run'
selection_valuedata:
Details|contains|all:
- ' -w 1'
- 'Get-ItemProperty -Path'
condition: all of selection_*
title: BoredFluff Downloaded Archive File from Filetransfer
id: 37e4dcde-906b-4a93-ac7b-b41523079ff3
status: test
description: Detects suspicious archive files downloaded from FileTransfer service.
license: MIT
author: Agoda Security Research
date: 2024/08/01
modified: 2024/08/01
references:
- https://agoda.com
tags:
- attack.t1105
falsepositives:
- Unknown
level: medium
logsource:
category: proxy
detection:
selection:
c-uri-extension:
- 'bz2'
- 'lzh'
cs-host|endswith: 'filetransfer.io'
condition: selection 
