Hotels and travel firms targeted by the TA558 threat group

August 22, 2022
Hotels Travel Agency TA558 Threat Group Latin America Western Europe North America Impersonation Phishing

A significant rise in the activity of a threat group dubbed TA558 had been detected by security researchers, with their activities mostly directed at phishing campaigns against hotels and travel firms. In this discovery, TA558 was seen using 15 different malware strains to gain access to the targeted systems, spy on the victims, and steal data and money.

The most recent phishing campaigns of the threat group had been observed attaching RAR and ISO files to the email messages. This observation has been compared to the previous tactic of TA558, wherein they used to attach macro-laced docs into the emails.

 

The actors target travel and hospitality firms by impersonating conference organising clients, tourist agents, and other recipients that would easily attract the victims’ attention.

 

Researchers also noticed that the phishing emails targeting hotel and travel firms were written in three languages, including English, Portuguese, and Spanish, directed toward victims in Latin America, Western Europe, and North America.

If the victims click on the attached URL, which claimed to be a supposed reservation link, a download process would rather initiate containing an ISO file from an unknown remote source. Once opened, the archive folder will show a batch file that would launch a PowerShell script. This script initialises more processes that would eventually drop malware or RAT payload to the compromised system.

Some identified RAT payloads dropped by the threat group include AsyncRAT, Revenge RAT, CaptureTela, XtremeRAT, and BluStealer.

As the RAT payloads get injected into the compromised systems, the threat group TA558 will begin moving into the victims’ network to steal critical data, including customers’ information and credit card details. The malware also helps the group modify the victims’ client-facing websites to redirect payment transactions into their accounts.

Furthermore, TA558 also profits from their cybercriminal activities by selling the stolen credit card details and PII to other threat groups. They have also previously blackmailed high-interest entities and sold access to compromised networks of hotels and travel firms to ransomware groups.

About the author

Leave a Reply