TONResolver RAT Abuses TON Blockchain for C2 in Attacks on Japan's Hotel Industry
A new Remote Access Trojan, TONResolver, is targeting Japan's hotel sector by impersonating Booking.com in phishing attacks, uniquely leveraging the TON blockchain for resilient command-and-control communications.
Security researchers have identified a new threat actor employing a sophisticated Remote Access Trojan (RAT) dubbed TONResolver, which is actively targeting employees within Japan's hotel industry. The campaign utilizes phishing emails that impersonate Booking.com, a popular online travel agency, to trick recipients into downloading malicious attachments. These emails are designed to appear as legitimate guest complaints or review requests, preying on the operational needs of hotel staff.
The primary vector involves emails with subject lines such as "Important: Guest Stay Review Request" or "Important: Notification Regarding a Serious Complaint from a Guest." These messages often contain links to malicious websites or direct downloads of ZIP archives. Upon opening these archives, users are prompted to click on a malicious shortcut file (LNK) disguised as an image, initiating the malware's execution. The attackers have also employed more advanced tactics, including conversational phishing campaigns via Gmail, where they build initial trust with the target before delivering a malicious URL, a technique often associated with advanced persistent threats.
What sets TONResolver apart is its innovative use of the TON (The Open Network) blockchain for its command-and-control (C2) infrastructure. Instead of relying on traditional, easily identifiable C2 servers, the malware stores the C2 server domain within a TON smart contract. This allows the attackers to dynamically update the server destination without needing to modify the malware itself. This makes the C2 infrastructure highly resilient, as it can be changed on the fly if a server is detected, blocked, or taken down, significantly complicating efforts to disrupt the campaign.
Analysis of the phishing emails revealed that they often leverage the notification functionality of scheduling tools, bypassing standard email authentication mechanisms like SPF, DKIM, and DMARC. The content of the emails, including fabricated guest complaints about issues like bed bugs, is crafted to elicit an urgent response from hotel staff, increasing the likelihood of them clicking malicious links or downloading infected files. Both Japanese and English-language phishing emails have been observed, suggesting a broad targeting strategy within the hospitality sector.
Once deployed, TONResolver functions as an initial access tool and a command execution foothold. The infected endpoints remain in a persistent loop, awaiting instructions from the attackers. This allows for further malicious activities, including potential credential theft and the deployment of additional malware. The persistent nature of the infection poses an ongoing risk to the targeted organizations as long as the RAT remains active on their systems.
The observed telemetry data indicates a significant prevalence of access attempts from the Japan region, confirming the focus of this particular campaign. However, the use of English-language lures and conversational tactics suggests the potential for broader applicability and adaptation to other regions or industries. The attackers' ability to swap C2 servers via the TON blockchain makes this a challenging threat to track and mitigate effectively.
This campaign highlights a growing trend of threat actors leveraging novel technologies and sophisticated social engineering tactics to bypass traditional security measures. The use of blockchain for C2 infrastructure represents a significant evolution in malware resilience, demanding new approaches to threat detection and response from cybersecurity professionals.