This year, a small cybercrime actor is ramping up the number of malicious emails sent to hotels and related hospitality companies with the intent of delivering a diverse set of RATs, which have the capabilities to steal information.
While first observed in 2018, the threat actor tracked as TA558 by Proofpoint has increased its operational tempo, with researchers observing 51 campaigns so far this year. Over the last four years, the cybercriminals have evolved their tactics and diversified the number of RATs deployed in campaigns, primarily focusing on victims in the Latin America region with additional targeting observed in Western Europe and North America.
"TA558 is an interesting threat actor targeting hospitality and travel organizations with unique lures referencing things like reservations and bookings,” said Sherrod DeGrippo, vice president of Threat Research and Detection with Proofpoint. “Although we do not have visibility into the actor’s ultimate goals, it's possible compromises could impact both organizations in the travel industry as well as potentially customers who have used them for vacations. Organizations in these and related industries should be aware of this actor’s activities and take precautions to protect themselves."
Attackers have evolved from using emails with malicious Word documents exploiting Equation Editor vulnerabilities (a remote code execution flaw tied to CVE-2017-11882, for instance), shifting to distribute malicious Office documents with VBA macros that download and install malware. As of 2022, however, the threat actor followed the footsteps of many other attackers and started leveraging container files like RAR and ISO attachments rather than macro-enabled Office documents. The shift is likely due to Microsoft’s announcements in late 2021 that it would disable macros by default in Office products, prompting threat actors to adopt new file types for delivering payloads. TA558 also started using URLs more frequently in 2022, which leads to container files with executables. So far this year, 27 campaigns leveraged URLs, up from five campaigns from between 2018 and 2021.
The malicious emails are typically sent in Portuguese, Spanish and English and leverage reservation themed lures, in many cases purporting to be about hotel room bookings. In some cases, threat actors mimicked technology services by using the terms “Google Drive,” “Microsoft” and “Firefox” in payload URLs or C2 domain names. In April, researchers also found the threat actors using a new lure that centered around a QuickBooks invoice in order to distribute RevengeRAT, though they said it's unclear why the group temporarily pivoted toward this lure.
The malicious emails often have the end goal of deploying RATs, and over the past few years the threat actors have alternated between at least 15 different known malware families. These RATs have included Loda, a remote access trojan written in AutoIT with the capabilities to steal usernames, passwords and browser cookies; Vjw0rm, a modular javascript RAT with self-propagation and information theft abilities; AsyncRAT, typically used by crimeware groups and APTs to remotely monitor and control compromised devices; and Revenge RAT, which can capture screen, video and audio on devices, keylogging and credential dumping.
These malware families can steal hotels’ customer user and credit card information, and they give attackers the ability to move laterally on the network and deliver follow-on payloads. For hotels, the potential impact of these types of attacks includes data theft of corporate and customer data and potential financial losses, said researchers. As seen with previous cyberattacks against high-level hospitality brands like Marriott, MGM Resorts International and Hilton, threat actors have targeted hotel customers’ financial, payment card or password data in various attacks.
“The increase in activity by TA558 this year is not indicative of an increase of activity targeting the travel/hospitality industries in general," said DeGrippo. "However, organizations in these industries should be aware of the TTPs... and ensure employees are trained to recognize and report phishing attempts when identified."