Elain Brown Tech 08.21.2022 21:Aug PM EDT

Hotels, Travel Companies are Targeted by Hacker Using Fake Reservations

A malicious group tracked as TA558 is causing havoc on the hospitality industry.

TA558 is a group of threat actors that has been conducting activities alike since 2018. However, security researchers have detected that activities from the group have been seen to have an uptick for the past few months.

The malicious actors are targeting specific industries relating to hospitality. The attacks are usually carried out against travel agencies and hotel companies.

TA558 Hacking

The TA558 hacking group has been tracked by researchers since its malicious campaigns in 2018. The hacking group has since then been known to be a financially motivated group.

According to BleepingComputer, TA558 targets the hospitality industry in places like western Europe, North America, and Latin America. The actors compromise these organizations through malicious phishing campaigns written in English, Spanish, and Portuguese.

These emails are sent to travel companies, luring them to click it by using reservation or business related inquiries just like hotel room bookings.

It is possible that the emails contain malicious attachments or URLs that attempt to distribute one of at least 15 different payloads of malware.

These payloads are often remote access trojans (RATs), which can enable reconnaissance, data theft, and the dissemination of follow-on payloads.

The actors have been fracked through payload domains, delivery and installation techniques, command and control (C2) infrastructure, and a variety of email artifacts.

In addition, the malwares deployed by the group using phishing emails can steal credit card data which makes it a real threat to anyone affected.

TA558 Methodology

The attacks conducted by TA558 had seen a significant increase in 2022.

According to the investigation conducted at Proofpoint, in 2022, 90% of the malicious campaigns conducted by the threat actors have been in Spanish and Portuguese. Languages are frequently switched by the threat actor within the same week.

TA558 has utilized at least 15 distinct types of malware, which oftentimes share command and control (C2) domains.

Campaigns distributed a variety of malicious software, including Loda, Revenge RAT, Vjw0rm, and AsyncRAT, amongst others.

The actors distribute their malware via a wide variety of delivery methods, such as URL attachments, RAR attachments, ISO attachments, and Office documents.

In the year 2022, the actors switched from utilizing macro-enabled Office documents to instead making use of container files such as RAR and ISO attachments.

This is probably because Microsoft made pronouncements in late 2021 and early 2022 about banning macros by default in Office products. These announcements prompted a shift in the threat landscape, which resulted in actors adopting new file types in order to deliver payloads.

Comparatively, TA558 only ran a total of five advertisements from 2018 through 2021, but in 2022, the company ran 27 campaigns that used URLs.

Hacker's Motivation

The reemergence of the group and the uptick in its campaign might possibly be due to the resumption of tourism activities. The restrictions of COVID-19 pandemic around the world have become less stringent and people are allowed to travel more, hence the increase in the number of victims as well.

Since 2018, TA558 has been an active threat actor that targets the hospitality industry, travel, and other industries related to these sectors.

The activity carried out by this actor may result in the theft of data affecting both the company and its customers, in addition to the possibility of monetary losses.

Proofpoint, after analyzing the data, has stated that the threat is financially motivated. This assessment was made based on the campaign, message volume, payloads, and victimology.