Hackers target hotel and travel companies with fake reservations

Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,585
Content source
https://www.bleepingcomputer.com/news/security/hackers-target-hotel-and-travel-companies-with-fake-reservations/
A hacker tracked as TA558 has upped their activity this year, running phishing campaigns that target multiple hotels and firms in the hospitality and travel space.

The threat actor uses a set of 15 distinct malware families, usually remote access trojans (RATs), to gain access to the target systems, perform surveillance, steal key data, and eventually siphon money from customers.

TA558 has been active since at least 2018, but Proofpoint has recently seen an uptick in its activities, possibly linked to the rebound of tourism after two years of COVID-19 restrictions.
Click to expand...
In 2022, TA558 switched from using macro-laced documents in its phishing emails and adopted RAR and ISO file attachments or embedded URLs in the messages.

Similar changes have been seen with other threat actors in response to Microsoft's decision to block VBA and XL4 macros in Office, which hackers historically used for loading, dropping, and installing malware via malicious documents.

The phishing emails that initiate the infection chain are written in English, Spanish, and Portuguese, targeting companies in North America, Western Europe, and Latin America.
Click to expand...
www.bleepingcomputer.com

Hackers target hotel and travel companies with fake reservations

A hacker tracked as TA558 has upped their activity this year, running phishing campaigns that target multiple hotels and firms in the hospitality and travel space.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Wow
  • Like
  • Thanks
Reactions: show-Zi, wat0114, brambedkar59 and 5 others
wat0114

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
570
The infection chain looks to be nothing out of the ordinary of what's been seen lately:

Victims who click on the URL in the message body, which is purported to be a reservation link, will receive an ISO file from a remote resource.

The archive contains a batch file that launches a PowerShell script which eventually drops the RAT payload onto the victim's computer and creates a scheduled task for persistence.
Click to expand...

2022 campaign infection chain
2022 campaign infection chain (Proofpoint)

Why would anyone open a batch file, if I assume correctly that the user needs to launch in order for the rest of the infection chain t occur?
 
  • Like
Reactions: show-Zi and Gandalf_The_Grey
You must log in or register to reply here.

Similar threads

vtqhtr413
    • Like
    • +Reputation
Security News Threat actors use Tycoon 2FA kits to target MS 365 and Gmail accounts
Replies
3
Views
1,058
Security News
vtqhtr413
vtqhtr413
Gandalf_The_Grey
    • +Reputation
    • Wow
Malware News Russian military hackers target Ukraine with new MASEPIE malware
Replies
0
Views
1,169
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • +Reputation
Malware News Google: Russian FSB hackers deploy new Spica backdoor malware
Replies
1
Views
1,504
Security News
Juan2go
J

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top