Researchers have revealed new details of a prolific APT group which has used 15 malware families over the past four years to steal data from travel and hospitality companies.
Financially motivated, group TA558 targets mainly organizations in Latin America and sometimes North America and Western Europe, switching between Portuguese, Spanish and English as it does so, according to Proofpoint.
It primarily uses phishing emails as its access vector, deploying reservation-themed lures with content relevant to the victim organization such as hotel room bookings.
These emails contain either malicious links or attachments designed to covertly install malware, which will then enable reconnaissance, data theft and the download of additional payloads, the report explained.
Among the multiple malware types used by the group are Loda RAT, Vjw0rm, Revenge RAT and AsyncRAT.
TA558 uses its own infrastructure most of the time, although Proofpoint has seen it leverage compromised hotel websites to host malicious payloads in a bid to fly under the radar of security monitoring tools.
Although the group has been operational since 2018, they have “significantly” increased their campaign tempo in 2022, Proofpoint warned.
Like many threat groups, TA558 has quickly adapted to Microsoft’s decision over recent months to disable macros by default in Office products, using container files like RAR and ISO attachments instead of macro-enabled Office docs.
“Additionally, TA558 began using URLs more frequently in 2022. TA558 conducted 27 campaigns with URLs in 2022, compared to just five campaigns total from 2018 through 2021. Typically, URLs led to container files such as ISOs or zip files containing executables,” the report noted.
“The malware used by TA558 can steal data including hotel customer user and credit card data, allow lateral movement, and deliver follow-on payloads.”
That makes it a serious threat for organizations in the travel, hotel, and hospitality sectors where data breaches can cause significant financial and reputational damage.
Marriott International was fined over £18m after hundreds of millions of guest records were stolen by threat actors following a 2014 cyber-attack on Starwood Hotels, a company it subsequently acquired.