Read Time:1 Minute, 55 Second
Cybercrime group TA558, a small-scale cybercriminal actor, increases its malware attacks predominantly targeting Latin American hospitality, hotel, and travel companies besides Western Europe and North America. To spread a range of RATs with the capacity to steal data, they are boosting this year’s volume of malicious emails sent to hotels.
Identified by Proofpoint, researchers have already discovered 51 campaigns this year from the threat actor, initially discovered in 2018. Over the past four years, hacking tactics have evolved, leading to a rise in the quantity and kind of RATs employed in campaigns.
The attacker takes the identity of a legitimate user and traverses via several network systems until they reach their target after initially gaining access to an endpoint, such as through phishing or malware infection. Their goal is to gather data on numerous systems and accounts, obtain login details, escalate privileges, and ultimately gain access to the targeted payload.
Proofpoint analysis states, “TA558 shifted tactics and began using URLs and container files to distribute malware, likely in response to Microsoft announcing it would begin blocking VBA macros downloaded from the internet by default.”
TA558 progressed from sending emails with malicious Word documents that leverage Equation Editor flaws (such as a remote code execution bug associated with CVE-2017-11882) to disseminating malicious Office documents that contain VBA macros that download and install malware. However, as of 2022, the threat actor started using attachments that included container files, such as RAR and ISO files, rather than Office documents with macro functionality.
The perpetrator sends malicious emails using Portuguese, Spanish, and occasionally English using lures with reservations-related business-relevant subjects, including booking hotel rooms. They have switched between at least 15 known malware families over the past three years and utilised RATs, including Loda, Vjw0rm, and Revenge RAT.
They have occasionally used “Google Drive,” “Microsoft,” and “Firefox” in payload URLs or C2 domain names to imitate popular technology services. Researchers also discovered the threat actors in April distributing RevengeRAT using a brand-new lure based on a QuickBooks invoice; however, they claimed it’s not clear why the gang temporarily switched to this lure.
Threat Research and Detection’s Vice President Sherrod DeGrippo emphasised, “Organisations in these and related industries should be aware of this actor’s activities and take precautions to protect themselves.”
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
