Using carefully crafted phishing emails as the primary vector, TA558 is dropping a RAT into the victim’s systems, performing surveillance and modifying the settings within to divert the customer finds to his account. Aside from this, he’s also stealing the PII and sensitive payment card data too, which can be used for other malicious operations.
Enter, Observe, and Steal
As noted by Proofpoint researchers in their blog, a threat actor tracked as TA558 is hitting companies in the hospitality industry – especially hotels with a phishing campaign to steal their customers’ data and funds. They noted the thread actor crafting his phishing emails in English, Spanish, and Portuguese, therefore targeting companies in North America, Western Europe, and Latin America. Topics of these emails include bookings in the target organization – pretending to be coming from conference organizers or tourist office agents – which the recipients can’t easily ignore. As they respond to them by clicking on some URL directed for more information, it downloads an ISO file from a remote server. This contains a batch file launching a PowerShell script, which brings in a RAT payload into the victim’s system. While performing reconnaissance for the threat actor, it also creates scheduled tasks for persistence. Researchers noted 15 distinct malware families used by TA558 in his campaigns – with AsyncRAT or Loda as majors, while Revenge RAT, XtremeRAT, CaptureTela, and BluStealer for smaller targets. Once in, they capture the customers’ sensitive information entered into the victims’ domains and divert their booking payments to something of their own wallet. Aside from losing money, customers can also be affected by identity fraud if the threat actor chooses to go sell them to other malicious actors. Though TA558 has been working since 2018, researchers noted a spike in his operations in 2022, probably because of resuming travel after COVID-19 restrictions.