The threat actors send emails impersonating conference organizers and tourist office agents. Victims who click on the URL will receive an ISO file from a remote resource. This contains a batch file that launches a PowerShell script which drops the RAT payload onto the victim’s computer. Multiple payloads have been used including AsyncRAT, Loda, Revenge RAT, ExtremeRAT, CaptureTela, and BluStealer. Once hotel systems are compromised with RAT malware, TA558 moves deeper to steal customer data. Acquiring this information enables TA558 to sell the stolen data to individuals or ransomware gangs.

To prevent similar attacks, it is important for hospitality firms to utilize cybersecurity awareness policies that emphasize only opening emails and documents from trusted, verified sources. Moreover, network segmentation and the principle of least privilege (PLP) will assist in limiting the damage accomplished by intruders. Developing a defense in depth (DiD) strategy that searches for post-exploitation activities is an important aspect of modern risk management frameworks. Binary Defense’s MDR, SOC, and Threat Hunting services can assist in furthering such a program.

https://www.bleepingcomputer.com/news/security/hackers-target-hotel-and-travel-companies-with-fake-reservations/