"Threat Group Ramps-Up Attacks on Travel Sector in 2022"

Security researchers at Proofpoint have revealed new details of a prolific APT group that has used 15 malware families over the past four years to steal data from travel and hospitality companies.  The researchers stated that the financially motivated group TA558 targets mainly organizations in Latin America and sometimes North America and Western Europe, switching between Portuguese, Spanish, and English.  The researchers noted that the group primarily uses phishing emails as its access vector, deploying reservation-themed lures with content relevant to the victim organization, such as hotel room bookings.  These emails contain either malicious links or attachments designed to covertly install malware, which will then enable reconnaissance, data theft, and the download of additional payloads.  The researchers stated that among the multiple malware types used by the group are Loda RAT, Vjw0rm, Revenge RAT, and AsyncRAT. TA558 uses its own infrastructure most of the time, although the researchers have seen it leverage compromised hotel websites to host malicious payloads in a bid to fly under the radar of security monitoring tools.  Although the group has been operational since 2018, they have “significantly” increased their campaign tempo in 2022, the researchers warned.  The researchers stated that, like many threat groups, TA558 has quickly adapted to Microsoft’s decision over recent months to disable macros by default in Office products, using container files like RAR and ISO attachments instead of macro-enabled Office docs.  The group has also begun using URLs more frequently in 2022.  The researchers stated that TA558 conducted 27 campaigns with URLs in 2022, compared to just five campaigns total from 2018 through 2021.  Typically, URLs led to container files such as ISOs or zip files containing executables.  The researchers noted that the malware used by TA558 can steal data, including hotel customer user and credit card data, allow lateral movement, and deliver follow-on payloads.  The researchers stated that the group is a serious threat to organizations in the travel, hotel, and hospitality sectors, where data breaches can cause significant financial and reputational damage. 

Infosecurity reports: "Threat Group Ramps-Up Attacks on Travel Sector in 2022"