The travel and hospitality industries are grappling with a renewed threat from a cybercriminal group known as TA558. This group, which has been on the radar of security experts for a while, is capitalizing on the recent surge in travel and associated bookings, following a period of dormancy during the height of the COVID-19 pandemic. TA558 has retooled its 2018 strategy, now sending out counterfeit reservation emails that harbor a medley of malware variants. If an unsuspecting recipient clicks on the embedded links, their system becomes infected with the malicious software. According to a report by cybersecurity firm Proofpoint, what sets this latest campaign apart is the use of RAR and ISO file attachments. These are compressed files that, when executed, unpack the data contained within them. The group has significantly increased its use of URLs in 2022, with 27 campaigns utilizing them, compared to a total of five campaigns from 2018 through 2021. For a system to become infected, the targeted individual must be duped into decompressing the file archive. The link in the fake reservation email leads to an ISO file and an embedded batch file. When the batch file is executed, it triggers a PowerShell helper script that downloads a subsequent payload, AsyncRAT. Historically, TA558 has used malicious Microsoft Word document attachments or remote template URLs to download and install malware. However, the shift to ISO and RAR files is likely a response to Microsoft’s recent decision to disable macros by default in Office products. The pace of the group’s campaigns has accelerated in 2022, delivering a cocktail of malware such as Loda, Revenge RAT, and AsyncRAT through a variety of delivery mechanisms including URLs, RAR attachments, ISO attachments, and Office documents. The malware payloads typically include remote access trojans (RATs), which can facilitate reconnaissance, data theft, and distribution of subsequent payloads. Despite the group’s evolving tactics, their objective remains consistent: financial gain. The group uses stolen data to scale up and steal money, potentially impacting both organizations in the travel industry and their customers. TA558 has been active since at least 2018, primarily targeting organizations in the travel, hospitality, and related industries, particularly in Latin America, and occasionally in North America or Western Europe. The group typically uses socially engineered emails, often in Portuguese or Spanish, to trick victims into clicking on malicious links or documents, usually disguised as hotel reservations. In their early operations, TA558 exploited vulnerabilities in Microsoft Word’s Equation Editor to download a RAT to the target machine. Over time, they expanded their toolkit and demographic reach, introducing malicious macro-laced Powerpoint attachments and English-language phishing lures. The beginning of 2020 marked TA558’s most active period, with 25 malicious campaigns launched in January alone. They predominantly used macro-laden Office documents or targeted known Office vulnerabilities during this period. Security researchers advise organizations, especially those operating in targeted sectors in Latin America, North America, and Western Europe, to be aware of TA558’s tactics and take necessary precautions.
About the Author
