A phishing campaign targeting multiple hotels and travel companies has been detected running by the TA558 group. In the campaign, it was observed that RAT malware was exploited, allowing threat actors to access targeted systems, monitor the system regularly, capture critical data and carry out fraudulent activities with the captured data. In addition, it is seen that RAR and ISO file attachments have started to be used in this campaign instead of macro-content documents sent by phishing e-mails.
The chain of infection starts with the sending of phishing e-mails with message text in English, Spanish and Portuguese to the associated destinations. The main topic covered in the e-mails is to make a reservation at the targeted establishment. Such e-mails are sent purporting to come from key sources such as conference organizers and tourist office agents that are hard for recipients to ignore.
An ISO file from a remote source is uploaded to the target system when targets click on the URL claimed to be the reservation link in the message body. The ISO file contains a BAT file (batch file) that will run a PowerShell script when executed. In order to ensure permanence, the script creates a scheduled task to hold the RAT load on the target computer as long as the script is running. By executing the BAT file and then the PowerShell script, target systems are injected with malware such as AsyncRAT (mostly), Loda, Revenge RAT, XtremeRAT, CaptureTela, and BluStealer. RAT malware endangers hotel systems and causes the identity information of customers, bank, and credit card data being stored to be captured by threat actors.
TA558 has been an active threat actor targeting the hospitality, travel, and related industries since 2018. The activities carried out by this actor lead to the capture of corporate and customer data and possible financial losses. For example, in July 2022, the Booking.com account of The Marino Boutique Hotel in Lisbon, Portugal, was targeted by this hacking campaign. It is known that threat actors caused a financial loss of € 500,000 through a compromised hotel account in just four days. In this context, it is recommended to consider the following security practices to avoid being the target of similar attack campaigns.
- E-mails, attachments, and links from unknown, suspicious parties should not be respected.
- File/Program or application downloads should be made from legitimate and reliable sources.
- Comprehensive Anti-Virus/Anti-Malware security solutions should be used.
- Institution/organization personnel should be made aware of potential phishing/social engineering attacks.
- IOC findings related to the campaign should be blocked from security solutions.