TONResolver

Attackers are targeting employees of Booking.com partner companies in Japan, using phishing emails that impersonate guest complaints and review requests to trick hotel staff into executing malicious files.

the infection began when the user clicked a shortcut link file (LNK) disguised as a photo file within the zip archive.

In this attack, a zip file was downloaded by accessing a hyperlink to a suspicious web site, and the infection began when the user clicked a shortcut link file (LNK) disguised as a photo file within the zip archive.

The script then executes Invoke-WebRequest against the reconstructed domain, saves the retrieved PS1 file (PowerShell script file) under "%TEMP%", and executes it with PowerShell.

The JavaScript file executed with arguments by node.exe (detection name: TrojanSpy.JS.TONRESOLVER.A) was identified as malware functioning as a remote access trojan (RAT).

The infection begins when a user downloads a zip file via a hyperlink in the email and executes a shortcut link file (LNK) disguised as a photo (PNG) file contained within the archive.

Checking and setting Run key persistence (HKCU:\Software\Microsoft\Windows\CurrentVersion\Run)

Checking and setting Run key persistence (HKCU:\Software\Microsoft\Windows\CurrentVersion\Run)

This RAT malware employs VM-based obfuscation, making it impossible to reveal details through pure static analysis alone.

the infection began when the user clicked a shortcut link file (LNK) disguised as a photo file within the zip archive.

The deployed executable was observed performing operations on the following folders and involving the “C:\Windows\System32\lsass.exe” process.

These folders contain browser-stored password SQLite DBs, Cookie DBs, History, autofill, bookmark information, and other data, raising suspicion of exfiltration by the attacker.

The endpoint information transmission in type:4 was confirmed to contain the following information... the endpoint's username, hostname

The endpoint information transmission in type:4 was confirmed to contain the following information... the endpoint's username, hostname, as well as OS, CPU core count, memory information, and MAC address hardware information.

The deployed executable was observed performing operations on the following folders... C:\Users\<UserName>\AppData\Local\Google\Chrome\User Data\ C:\Users\<UserName>\AppData\Local\Microsoft\Edge\User Data\

Connection to C&C domain via WebSocket communication | At this point, the server verifies whether the User-Agent contains the string "Powershell." If "Powershell" is not present ... if "Powershell" is present, a 200 OK response returns the PS1 file script string.

the malware abuses The Open Network (TON) blockchain platform as a dead drop resolver, a technique that allows attackers to update their command-and-control (C&C) server destination without hardcoding it into the malware

If Node.exe does not exist, “node-v24.13.0-win-x64.zip” is retrieved from the official Node.js website (nodejs.org) and extracted under "%USERPROFILE%\AppData\Local\Nodejs."

The JavaScript file executed with arguments by node.exe (detection name: TrojanSpy.JS.TONRESOLVER.A) was identified as malware functioning as a remote access trojan (RAT).

Keepalive every 20 seconds