A threat group tracked as TA558 has begun running phishing campaigns that target firms in the hospitality and travel space. TA558 is using Remote Access Trojans (RATs) to gain access to the target systems, perform surveillance, steal data, and then siphon money from customers. The group has been active since 2018, but there has been a recent surge in their activity most likely linked to the return of tourism following the Covid-19 pandemic. TA558 previously used documents with malicious macros in its phishing emails, and has now adopted RAR and ISO file attachments or embedded URLs in the messages. Similar changes in behavior have been seen with other threat groups following Microsoft’s decision to block VBA and XL4 macros.
The threat actors send emails impersonating conference organizers and tourist office agents. Victims who click on the URL will receive an ISO file from a remote resource. This contains a batch file that launches a PowerShell script which drops the RAT payload onto the victim’s computer. Multiple payloads have been used including AsyncRAT, Loda, Revenge RAT, ExtremeRAT, CaptureTela, and BluStealer. Once hotel systems are compromised with RAT malware, TA558 moves deeper to steal customer data. Acquiring this information enables TA558 to sell the stolen data to individuals or ransomware gangs.
To prevent similar attacks, it is important for hospitality firms to utilize cybersecurity awareness policies that emphasize only opening emails and documents from trusted, verified sources. Moreover, network segmentation and the principle of least privilege (PLP) will assist in limiting the damage accomplished by intruders. Developing a defense in depth (DiD) strategy that searches for post-exploitation activities is an important aspect of modern risk management frameworks. Binary Defense’s MDR, SOC, and Threat Hunting services can assist in furthering such a program.