The cyberattackers are using fake booking emails to phish.

A hacker group tracked as TA558 has upped their activity this year, running phishing campaigns that target multiple hotels and firms in the hospitality and travel space, according to a report in BleepingComputer.

The cyberattacker uses a set of 15 distinct malware families, according to the article. These usually include remote access trojans (RATs), to gain access to the target systems, perform surveillance, steal key data, and eventually siphon money from customers.

TA558 has been active since at least 2018, but Proofpoint, the cybersecurity solution provider, has recently seen an uptick in its activities, possibly linked to the rebound of tourism after two years of COVID-19 restrictions.

Threats come in emails written in multiple languages

In 2022, TA558 switched from using macro-laced documents in its phishing emails and adopted RAR and ISO file attachments or embedded URLs in the messages.

Similar changes have been seen with other threat actors in response to Microsoft’s decision to block VBA and XL4 macros in Office, which hackers historically used for loading, dropping, and installing malware via malicious documents.

The phishing emails that initiate the infection chain are written in English, Spanish, and Portuguese, targeting companies in North America, Western Europe, and Latin America.

The email topics revolve around making a booking on the target organization, pretending to come from conference organizers, tourist office agents, and other sources that the recipients can’t easily dismiss.

Victims who click on the URL in the message body, which is purported to be a reservation link, will receive an ISO file from a remote resource.

The archive contains a batch file that launches a PowerShell script which eventually drops the RAT payload onto the victim’s computer and creates a scheduled task for persistence.

Having compromised hotel systems with RAT malware, TA558 moves deeper into the network to steal customer data, stored credit card details, and modify the client-facing websites to divert reservation payments.

Other ways for TA558 to make money would be to sell or use the stolen credit card details, sell client PII, blackmail high-interest individuals, or sell access to the compromised hotel’s network to ransomware gangs.