Researchers disclose that TA558 hacker group targets hospitality, hotel, travel organizations
Proofpoint researchers released details of the TA558 hacker group, a likely financially motivated small crime threat actor, which has been targeting hospitality, hotel, and travel organizations. The group’s target focus is mainly on Portuguese and Spanish speakers, typically located in the Latin America region, with additional targeting observed in Western Europe and North America.
The Proofpoint report is based on email campaigns, which are manually contextualized, and analyst-enriched descriptions of automatically condemned threats. Organizations, especially those operating in targeted sectors in Latin America, North America, and Western Europe should be aware of the hacker group’s tactics, techniques, and procedures.
“Since 2018, Proofpoint has tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe,” the researchers wrote in a blog post. “The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 different malware payloads, typically remote access trojans (RATs), that can enable reconnaissance, data theft, and distribution of follow-on payloads,” they added.
TA558 was more active in 2020 than in previous years and 2021, with 74 campaigns identified, the Proofpoint researchers said. “2018, 2019, and 2021 had 9, 70, and 18 total campaigns, respectively. So far in 2022, Proofpoint analysts have observed 51 TA558 campaigns,” it added.
The researchers disclosed that they had not observed post-compromise activity from TA558. Based on the observed payloads, victimology, and campaign and message volume, Proofpoint assesses with medium to high confidence that this is a financially motivated cybercriminal actor. The malware used by TA558 can steal data including hotel customer user and credit card data, allow lateral movement, and deliver follow-on payloads.
In 2022, campaign tempo increased significantly. Campaigns delivered a mixture of malware such as Loda, Revenge RAT and AsyncRAT, the Proofpoint researchers said. “This actor used a variety of delivery mechanisms including URLs, RAR attachments, ISO attachments, and Office documents. TA558 followed the trend of many threat actors in 2022 and began using container files such as RAR and ISO attachments instead of macro-enabled Office documents. This is likely due to Microsoft’s announcements in late 2021 and early 2022 about disabling macros by default in Office products, which caused a shift across the threat landscape of actors adopting new filetypes to deliver payloads,” they added.
The researchers also said that the TA558 group began using URLs more frequently in 2022. TA558 conducted 27 campaigns with URLs in 2022, compared to just five campaigns total from 2018 through 2021. Typically, URLs lead to container files such as ISOs or zip files containing executables.
Since Proofpoint began tracking the TA558 hacker group through 2022, over 90 percent of campaigns were conducted in Portuguese or Spanish, with four percent featuring multiple language lure samples in English, Spanish, or Portuguese. “Interestingly, the threat actor often switches languages in the same week. Proofpoint researchers have observed this actor send, for example, a campaign in English and the following day another campaign in Portuguese. Individual targeting typically differs based on campaign language,” they added.
The researchers said that in 2021, the TA558 group continued to leverage emails with Office documents containing macros or Office exploits to download and install malware. “Its most consistently used malware payloads included vjw0rm, njRAT, Revenge RAT, Loda, and AsyncRAT. Additionally, this group started to include more elaborate attack chains in 2021. For example, introducing more helper scripts and delivery mechanisms such as embedded Office documents within MSG files,” they added.
Emails masqueraded as Unimed, a Brazilian medical work cooperative and health insurance operator. These messages contained Microsoft Word attachments with macros which, if enabled, invoked a series of scripts to ultimately download and execute AsyncRAT, the researchers identified.
“In 2020, TA558 stopped using Equation Editor exploits and began distributing malicious Office documents with macros, typically VBA macros, to download and install malware. This group continued to use a variety of malware payloads including the addition of njRAT and Ozone RAT,” the researchers said. Hotel, hospitality, and travel organization targeting continued. Although the actor slightly increased its English-language operational tempo throughout 2020, most of the lures featured Portuguese and Spanish reservation requests, it added.
In 2019, Proofpoint identified that the TA558 hacker group continued to leverage emails with Word documents that exploited Equation Editor vulnerabilities to download and install malware. “TA558 also began using macro-laden PowerPoint attachments and template injection with Office documents. This group expanded their malware arsenal to include Loda, vjw0rm, Revenge RAT, and others. In 2019, the group began occasionally expanding targeting outside of the hospitality and tourism verticals to include business services and manufacturing,” the researchers added.
Proofpoint analysts observed in December 2019 that the TA558 hacker group began to send English-language lures relating to room bookings in addition to Portuguese and Spanish.
They also disclosed that since 2018, the TA558 group used consistent tactics, techniques, and procedures to attempt to install a variety of malware, including Loda RAT, Vjw0rm, and Revenge RAT. “TA558 increased operational tempo in 2022 to a higher average than previously observed. Like other threat actors in 2022, TA558 pivoted away from using macro-enabled documents in campaigns and adopted new tactics, techniques, and procedures,” the researchers said.
Proofpoint tracked the TA558 hacker group based on a variety of email artifacts, delivery and installation techniques, command and control (C2) infrastructure, payload domains, and other infrastructure. In 2022, Proofpoint observed an increase in activity compared to previous years. Additionally, TA558 shifted tactics and began using URLs and container files to distribute malware, likely in response to Microsoft announcing it would begin blocking VBA macros downloaded from the internet by default.
Proofpoint first observed TA558 in April 2018. These early campaigns typically used malicious Word attachments that exploited Equation Editor vulnerabilities or remote template URLs to download and install malware. Two of the most common malware payloads included Loda and Revenge RAT. Campaigns were conducted exclusively in Spanish and Portuguese and targeted the hospitality and related industries, with ‘reserva’ (Portuguese word for ‘reservation’) themes.
In March, Proofpoint identified a targeted attack leveraging an open-source package installer ‘Chocolatey’ to deliver a backdoor that exploited French entities in the construction, real estate, and government industries.
Related
