A persistent wave of attacks on Latin American hospitality, hotel, and travel firms with the intention of planting malware on compromised systems have been attributed to a financially motivated cybercrime ring.
Proofpoint researchers are keeping tabs on a malware campaign being run by the TA558 malware gang. The organization used Loda RAT, Vjw0rm, and Revenge RAT among other malware in its attacks.
The gang has been active at a faster rate than usual in 2022, with intrusions mostly targeted at Latin American Portuguese and Spanish speakers and to a lesser level at Western European and North American speakers.
The group uses phishing campaigns that involve sending malicious spam messages with lures that have a travel theme, like hotel reservations, that contain weaponized documents or URLs in an effort to persuade unwitting users to install trojans that can conduct reconnaissance, steal data, and distribute add-on payloads.
To download and install a variety of malware, including AsyncRAT, Loda RAT, Revenge RAT, and Vjw0rm, the assaults conducted between 2018 and 2021 made use of emails with malicious Word documents that either contained VBA macros or exploits for vulnerabilities like CVE-2017-11882 and CVE-2017-8570.
In more recent attacks, the cybercriminal organization has started distributing malware using Office documents, RAR attachments, ISO attachments, and malicious URLs. The action is in response to Microsoft's decision to make Office products' default settings for macros disabled.
According to Proofpoint, 27 of the 51 campaigns that hackers ran in 2022 made use of URLs linking to ZIP and ISO archives, compared to just five efforts from 2018 through 2021.
Since 2018, at least 15 different malware families have been employed by TA558, sometimes using the same C2 infrastructure, according to Proofpoint. To host the malware payloads, the gang uses websites that have been infiltrated by hotels.
In an effort to prevent detection and obscure the source of the attacks, the threat actor frequently changes languages within the same week.
A number of noticeable patterns are also being used by TA558 in the campaign data, including the use of specific strings, naming conventions, keywords, domains, etc.