Hackers target hotel and travel companies with fake reservations


Level 76
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
A hacker tracked as TA558 has upped their activity this year, running phishing campaigns that target multiple hotels and firms in the hospitality and travel space.

The threat actor uses a set of 15 distinct malware families, usually remote access trojans (RATs), to gain access to the target systems, perform surveillance, steal key data, and eventually siphon money from customers.

TA558 has been active since at least 2018, but Proofpoint has recently seen an uptick in its activities, possibly linked to the rebound of tourism after two years of COVID-19 restrictions.
In 2022, TA558 switched from using macro-laced documents in its phishing emails and adopted RAR and ISO file attachments or embedded URLs in the messages.

Similar changes have been seen with other threat actors in response to Microsoft's decision to block VBA and XL4 macros in Office, which hackers historically used for loading, dropping, and installing malware via malicious documents.

The phishing emails that initiate the infection chain are written in English, Spanish, and Portuguese, targeting companies in North America, Western Europe, and Latin America.


Level 12
Top Poster
Apr 5, 2021
The infection chain looks to be nothing out of the ordinary of what's been seen lately:

Victims who click on the URL in the message body, which is purported to be a reservation link, will receive an ISO file from a remote resource.

The archive contains a batch file that launches a PowerShell script which eventually drops the RAT payload onto the victim's computer and creates a scheduled task for persistence.

2022 campaign infection chain
2022 campaign infection chain (Proofpoint)

Why would anyone open a batch file, if I assume correctly that the user needs to launch in order for the rest of the infection chain t occur?

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.