Phishing campaign preying on hotels and travel firms

Spanish and Portuguese speakers in Latin America are currently the main targets of a campaign to steal credit card details and other data

A cybercrime group tracked as TA558 is behind a recent phishing campaign targeting hotels and other entities operating in the hospitality and travel sector.

Proofpoint researchers say they are keeping an eye on a malware campaign run by TA558, which uses a collection of 15 different malware families, typically remote access trojans (RATs), to infiltrate target systems, steal crucial data, and ultimately siphon money from customers.

TA558 is a relatively small cybercrime group that has been active since at least April 2018, although Proofpoint researchers say they have recently seen a rise in its activity.

The group is primarily targeting Spanish and Portuguese speakers in Latin America.

Proofpoint noticed that TA558 is now shifting away from macro-laden Microsoft Office attachments in favour of URLs and ISO files to achieve initial infection. This behaviour is most likely in reaction to Microsoft's decision to block macros by default in files downloaded from the internet.

Twenty-seven of the 51 campaigns that this threat actor ran in 2022 made use of URLs linking to ZIP and ISO archives, while from 2018 through 2021, only five campaigns did so.

Phishing emails sent out by TA558 that start the infection chain are written in three languages: English, Spanish, and Portuguese. The emails are about making reservations with the target firm and pose as correspondence from conference planners, travel brokers, and other hard-to-reject sources.

The victims receive an ISO file from a remote resource if they click on the URL in the message body that purports to be a link for making a reservation.

A batch file in the bundle then starts executing a PowerShell script that ultimately downloads the RAT payload to the victim's machine and sets up a scheduled job for persistence. AsyncRAT or Loda were the payload in the majority of the incidents Proofpoint saw this year, however Revenge RAT, XtremeRAT, CaptureTela, and BluStealer were also used on a lesser scale.

One 2022 campaign dropped just Revenge RAT and used QuickBooks invoice lures in place of hotel bookings.

After infecting hotel systems with RAT malware, TA558 penetrates the network further to steal customer information, credit card information, and other details, as well as to alter client-facing webpages to reroute reservation payments.

Researchers have also noticed a number of noticeable patterns in the campaign data, including the usage of certain strings, naming conventions, keywords, domains, etc.

For instance, the term CDT, which refers to the CDT Travel organisation and associated travel reservation lure themes, was often utilised in emails and malware attributes.

"Activity conducted by this actor could lead to data theft of both corporate and customer data, as well as potential financial losses," the researchers warn in their analysis.

"Organisations, especially those operating in targeted sectors in Latin America, North America and Western Europe, should be aware of this actor's tactics, techniques, and procedures."