After being silent for a couple of years, a threat actor named as TA558 has risen with aggressive attacks against the hospitality industry.
Targeting hotels mostly, Proofpoint researchers said TA558 uses phishing emails to introduce scripts, which in turn brings in a remote access trojan into the victim’s system. This helps in the reconnaissance of threat actors and eventually steals the data and money of the people.
Targeting the Hospitality Industry
Researchers at Proofpoint noted a spike in the activity of TA558 – a threat actor targeting the hospitality industry, especially the hotels, for stealing their customers’ data and money.
It starts with a phishing email aimed at the staff of the targeted company, talking about booking confirmations or inquiries, pretending to be coming from conference organizers or tourist office agents – since they can’t usually ignore these.
They’re asked to click on some URLs – pertaining an inquiry, which brings in an ISO file from a remote server that contains a batch file to launch a PowerShell script, which in turn procures a RAT payload into the victim’s computer.
Once in, it creates scheduled tasks for maintaining persistence. Researchers noted the threat actor using AsyncRAT or Loda for big targets, while RevengeRAT, XtremeRAT, CaptureTela, and BluStealer for smaller ones.
Also, these phishing emails are written in English, Spanish, and Portuguese, so targeted companies are mostly in North America, Western Europe, and Latin America. On a successful intrusion with the RAT, the threat actor observes the network activities and modifies the client-facing websites to steal data and payments made to them.
Though TA558 has been operating since 2018, the operations have spiked sharply in 2022, probably because of resuming travel after COVID-19. And besides customers losing funds, they’re vulnerable to impersonation attacks due to their PII being stolen in the process.
Other Trending News:- News