Threat Group Ramps-Up Attacks on Travel Sector in 2022
Researchers have identified new details regarding a prolific threat group that has deployed 15 malware families over the past four years. The group, TA558, is financially motivated and mainly targets organizations in Latin and North America. The group switches between English, Spanish, and Portuguese when it conducts its attacks, according to Proofpoint. The group typically starts its attacks with phishing emails as the initial access vector, using reservation and travel themed lures such as hotel room bookings. TA558 targets travel and hospitality companies to steal sensitive data and for monetary gain.
The phishing emails used by the malicious group often contain links or attachments that covertly install malware. Although the group has been observed using several different malware types, some of these include Loda RAT, Viw0rm, Revenge RAT, and AsyncRAT. TA558 utilizes its own infrastructure to conduct attacks, however, Proofpoint has reported evidence of the group leveraging compromised hotel websites to host malicious payloads. The group has been operating since 2018, but has kicked up its activity this year.