A hacker tracked as TA558 has upped their activity this year, running phishing campaigns that target multiple hotels and firms in the hospitality and travel space.
The threat actor uses a set of 15 distinct malware families, usually remote access trojans (RATs), to gain access to the target systems, perform surveillance, steal key data, and eventually siphon money from customers.
TA558 has been active since at least 2018, but Proofpoint has recently seen an uptick in its activities, possibly linked to the rebound of tourism after two years of COVID-19 restrictions.
Recent TA558 campaigns
In 2022, TA558 switched from using macro-laced documents in its phishing emails and adopted RAR and ISO file attachments or embedded URLs in the messages.
Similar changes have been seen with other threat actors in response to Microsoft’s decision to block VBA and XL4 macros in Office, which hackers historically used for loading, dropping, and installing malware via malicious documents.
The phishing emails that initiate the infection chain are written in English, Spanish, and Portuguese, targeting companies in North America, Western Europe, and Latin America.
The email topics revolve around making a booking on the target organization, pretending to come from conference organizers, tourist office agents, and other sources that the recipients can’t easily dismiss.
Victims who click on the URL in the message body, which is purported to be a reservation link, will receive an ISO file from a remote resource.
The archive contains a batch file that launches a PowerShell script which eventually drops the RAT payload onto the victim’s computer and creates a scheduled task for persistence.
In most of the cases Proofpoint observed this year, the payload was AsyncRAT or Loda, while Revenge RAT, XtremeRAT, CaptureTela, and BluStealer were also deployed on a smaller scale.
For example, one 2022 campaign used QuickBooks invoice lures instead of room reservations and dropped Revenge RAT exclusively.
Having compromised hotel systems with RAT malware, TA558 moves deeper into the network to steal customer data, stored credit card details, and modify the client-facing websites to divert reservation payments.
In July 2022, The Marino Boutique Hotel in Lisbon, Portugal, had its Booking.com account hacked, and the intruder stole €500,000 in four days from unsuspecting customers who paid to book a room.
While the involvement of TA558, in that case, wasn’t proven, it matches the threat actor’s TTPs and targeting scope and at least gives an example of how they could monetize their access to hotel systems.
Other ways for TA558 to make money would be to sell or use the stolen credit card details, sell client PII, blackmail high-interest individuals, or sell access to the compromised hotel’s network to ransomware gangs.