Cybercrime Group TA558 Steps Up Email Attacks Against Hotels


This year, a small cybercrime actor is increasing the number of malicious emails sent to hotels and associated hotel businesses with the aim of providing a diverse set of RATs, which have the ability to steal information.

Although first observed in 2018, the menacing actor tracked as TA558 by Proofpoint has accelerated its operational tempo, with researchers observing 51 campaigns so far this year. Over the past four years, cybercriminals have evolved their tactics and diversified the number of RATs deployed in campaigns, primarily focusing on victims in the Latin America region with additional targeting seen in Western Europe and America. North.

“TA558 is an interesting threat actor targeting hospitality and travel organizations with unique lures referencing things like reservations and bookings,” said Sherrod DeGrippo, vice president of threat research and detection. threats at Proofpoint. “While we don’t have visibility into the actor’s ultimate goals, it’s possible that compromises could impact both organizations in the travel industry and potential customers who have used them for Organizations in these and related sectors should be aware of the activities of this actor and take precautions to protect themselves.

Attackers evolved from using emails with malicious Word documents exploiting Equation Editor vulnerabilities (a remote code execution flaw related to CVE-2017-11882, for example), switching to distributing malicious Office documents with VBA macros that download and install malicious software. Starting in 2022, however, the threat actor followed in the footsteps of many other attackers and started exploiting container files such as RAR and ISO attachments rather than macro-enabled Office documents. The change is likely due to Microsoft’s announcements in late 2021 that it would disable macros by default in Office products, prompting threat actors to adopt new file types to deliver payloads. TA558 also started using URLs more frequently in 2022, leading to container files with executables. So far this year, 27 campaigns have leveraged URLs, compared to five campaigns between 2018 and 2021.

The malicious emails are typically sent in Portuguese, Spanish, and English and exploit reservation-themed decoys, in many cases claiming to be about hotel room reservations. In some cases, hackers have imitated technology services by using the terms “Google Drive”, “Microsoft”, and “Firefox” in payload URLs or C2 domain names. In April, researchers also discovered that threat actors were using a new decoy centered around a QuickBooks bill to distribute RevengeRAT, although they said it was unclear why the group had temporarily pivoted to this. lure.

Malicious emails often have the end goal of deploying RATs, and in recent years threat actors have alternated between at least 15 different families of known malware. These RATs have included Loda, a remote access Trojan written in AutoIT with capabilities to steal usernames, passwords, and browser cookies; Vjw0rm, a modular javascript RAT with self-propagation and info-stealing capabilities; AsyncRAT, typically used by crimeware groups and APTs to remotely monitor and control compromised devices; and Revenge RAT, which can capture screen, video and audio on devices, logging keystrokes and dumping credentials.

These malware families can steal hotel user and credit card information, and they allow attackers to move laterally through the network and deliver tracking payloads. For hotels, the potential impact of these types of attacks includes the theft of corporate and guest data and potential financial loss, the researchers said. As seen with previous cyberattacks against high profile hotel brands like Marriott, MGM Resorts International and Hilton, threat actors have targeted the financial, payment card or password data of hotel guests. hotel in various attacks.

“The increase in TA558 activity this year is not indicative of increased activity targeting the travel and hospitality industries in general,” DeGrippo said. “However, organizations in these industries should be aware of TTPs…and ensure employees are trained to recognize and report phishing attempts when identified.”


Comments are closed.