Attackers are targeting several hotels and hospitality companies through phishing. Identified as TA558, the threat actor uses a series of 15 different malware families, in particular (RATs) remote access trojans, to gain access to the target systems, carry out surveillance, steal key data and ultimately siphon off money from customers.
According to Proofpoint researchers, a recent increase in TA558’s activity has been recorded, and unlike in 2018, when it used macro-laced documents in its phishing emails, the threat actors now use RAR and ISO file attachments or embedded URLs in the messages.
The phishing e-mail themes used by the attackers revolve around making a booking with the target organizations and pretending to come from conference organizers, tourist offices and other sources that recipients cannot easily refuse.
The emails used to initiate the chain of infection are written in English, Spanish and Portuguese, while the phishing emails target companies in North America, Western Europe and Latin America.
After clicking on the URL, which pretends to be a reservation link in the message body, the victims receive an ISO file from a remote resource.
The archive contains a batch file that starts a PowerShell script, which finally drops the RAT payload onto the victim’s computer and creates a scheduled persistence task.
Once a hotel system has been compromised with RAT malware, TA558 penetrates deeper into the network to steal customer information, stored credit card information, and modify the client-facing websites to redirect reservation payments.