Financially Motivated Group Eyes Hospitality and Travel Organizations

Industries: Hospitality, Hotel, Travel | Level: Tactical | Source: Proofpoint

Proofpoint's latest research provides details for threat actor group TA558 identified to be active since 2018 targeting industries in hospitality, hotel, and travel. Regions attacked by the group have primarily focused on Latin American regions, with Portuguese and Spanish speakers accounting for over 90% of the group's campaign. Although at a much lower rate, victims were found in Western Europe and North America as well. Noticeably in 2022, the group's operational tempo increased, making them much more active than in previous years. Phishing emails sent from the group have commonly used reservation themes. Tactics and techniques used have involved exploiting Equation Editor - CVE-2017-11882, macros in Microsoft documents, PowerShell scripts, and compressed files to deploy various remote access trojans and schtasks for persistence. TA558 has utilized over 15 different malware families in its campaigns since 2018. Their most used malware being AsyncRat, Loa, Vjw0rm, and Revenge RAT. Currently, Proofpoint "has not observed post-compromise activity from TA558." With medium to high confidence, Proofpoint assesses the group to be financially motivated. One notable hack from the group was reported in July by CNN Portugal "a Portuguese hotel’s website was compromised, and the actor was able to modify the website and direct customers to a fake reservation page. The actor stole funds from potential customers by posing as the compromised hotel."

Anvilogic Use Cases:

• Abuse EQNEDT32.EXE
• Wscript/Cscript Execution
• Invoke-WebRequest Command

‍