Cybercrime group TA558 is behind a malware campaign targeting hospitality, hotel and travel organizations in Latin America
Researchers from Proofpoint are monitoring a malware campaign carried out by a cybercrime group, tracked as TA558, targeting hospitality, hotel and travel organizations in Latin America.
The group is a small crime threat actor that has been active since at least April 2018 that used multiple malware in its attacks, including Loda RAT, Vjw0rm, and Revenge RAT.
The malware has been repurposed to steal personal and financial data of hotel customers, including credit card details, to perform lateral movements and deliver payloads.
The group primarily targets Portuguese and Spanish speakers, but experts also observed attacks targeting entities in Western Europe and North America.
The gang’s activity increased in 2022, the chain of attacks begins phishing campaigns with lures themed reservations such as hotel reservations.
“In 2022, Proofpoint has seen an increase in activity compared to previous years. Additionally, TA558 changed tactics and began using URLs and container files to distribute malware, likely in response to Microsoft’s announcement that it would begin blocking VBA macros downloaded from the Internet by default,” the analysis said. published by Proofpoint.
Attacks carried out between 2018 and 2021 used emails with weaponized Word documents containing exploits or malicious macros. Upon opening the files, the infection process began.
In recent attacks, the cyber crime group started using malicious URLs, RAR attachments, ISO attachments and Office documents to deliver malware. The move is in response to Microsoft’s decision to disable macros by default in Office products
Proofpoint reported that out of 51 campaigns carried out by threat actors in 2022, 27 of them used URLs pointing to ISO files and ZIP archives, while from 2018 to 2021 only five campaigns used this technique.
Proofpoint reported that as of 2018, TA558 has been used by at least 15 different malware families, some cases using the same C2 infrastructure. The gang leverage compromised hotel websites to host malicious payloads.
The threat actor often changes language within the same week in an attempt to avoid detection and attribute the attacks to him.
TA558 is also using multiple patterns evident in the campaign data, including the use of certain strings, naming conventions and keywords, domains, etc. For example, attackers often used the term CDT in email attributes and malware, which is related to the CDT Travel organization and topics related to luring travel bookings.
“TA558 has been an active threat actor targeting the hospitality, travel and related industries since 2018. Activity conducted by this actor can lead to data theft of corporate and customer data, as well as loss of possible financial.” the report concludes.
“Organizations, especially those operating in target sectors in Latin America, North America and Western Europe, should be aware of this actor’s tactics, techniques and procedures.”
Follow me on Twitter: @securityaffairs AND Facebook
(Security Issues – hacking, TA558)