The Latest in IT Security

Malicious hotel transaction spam


Over the past couple of days we have been seeing numerous spam emails which claim that a wrong transaction was made on your credit card from a hotel.
The subject lines look similar to the following two subjects, with varying hotels

Hotel Sutton Place made wrong transaction
Wrong transaction from your credit card in Four Seasons Resort Scottsdale

We have also seen several different message bodies that try to explain, in fairly bad English, that your credit card has been charged by a hotel and that in order to get your money back you will need to fill in an attached form and send it to your bank.

Dear Guest!
Transaction: Visa 86878_j
This letter notifies that on July 26th, 2011 Hotel made wrong writing-down from your credit account. Total sum of decommissioning is $1937
Due to the termination of service contract between Hotel Melia Deviana and Moverick Company this Hotel was divested accreditation in our company.
For the return of funds please contact your bank and fill information in the attached form.
The detailed copy of made writing-down you can find in the attachment.
Company just mediates and bears no responsibility for any money transactions made by Hotel.
Thank you for understanding. We trust you can solve this unpleasant problem.

Alexander Hargrave,
Manager of Reception Desk & Reservation Departament

Dear Client!
Transaction: Visa 4098_6e
On July 26th, 2011 Hotel made wrong transaction decommissioning from your credit card totaling $1037.
This partner hotel was divested accreditation in Moverick Company with reference of noncompliance of the service contract.
Please see the attached form. You need to fill it in and contact your bank for the return of funds.
In the attachment you will find expense sheet with the sum of wrong transaction writing-down.
Company just mediates and bears no responsibility for any money transactions made by Hotel.
Thank you for understanding. We trust you can solve this unpleasant problem.

Caleb Anketil,
Manager of Reception Desk & Reservation Departament


Attached is a Zip file named, where XXX is a random three digit number. Inside this Zip file is an executable file; Refund-Form.exe which has an icon likely intended to deceive unsuspecting victims into thinking that it is in fact some type of form which they can view.

The executable inside the 'RefundForm' Zip file


Once executed this malware downloads the file soft.exe from yomwarayom2001[dot]ru ( This did not run straight away so we ran it on a separate test machine and verified that this is a fake AV product named ‘Security Protection’.

A further HTTP request is sent to, shown below, which requests a module called ‘grabbers’ from load.php.

The HTTP request and response for the encrypted password stealer


The file that is retrieved, called ‘update.dat’ is in fact an encrypted Windows dll file. Once decrypted we discovered that it was a password stealer which targets a huge number of applications including instant messaging programs, poker clients, FTP clients and web browsers looking for stored passwords.

Screenshot of the disassembled password stealer showing some of the targeted applications.


Almost a day later, with still no visible signs that our test machine was infected, the HTTP request below was sent which downloaded the file 1036.exe.

HTTP download of 1036.exe


Within minutes of this download finishing, a fake AV program called ‘Personal Shield pro’ was launched.

Both the attached executable files and those that were downloaded after the initial infection had very low detection rates among anti-virus engines, which highlights the need to be very cautious when opening email attachments and to keep anti-virus software up to date.


Thanks to Rodel Mendrez for his investigation into the password stealer component.

Leave a reply


FRIDAY, MARCH 01, 2024

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments