Travel Sector Under Renewed Threat

As global travel rebounds, a financially motivated cybercrime group known as TA558 has significantly increased its attacks against the hospitality and travel industries. Active since at least 2018, the group has returned from a pandemic-era lull to exploit the surge in bookings, using socially engineered emails disguised as hotel reservations to deploy malware.

These phishing campaigns primarily target organizations in Latin America, North America, and Western Europe. The emails, often written in Spanish or Portuguese with subject lines like “reserva,” are designed to trick employees into executing malicious payloads, putting both corporate and customer data at severe risk.

A Shift in Attack Vectors

According to security researchers, TA558 has evolved its tactics. While past campaigns relied on malicious Microsoft Word documents that exploited vulnerabilities or used macros, the group’s recent activity shows a strategic shift. This change is likely a direct response to Microsoft’s move to disable macros by default in Office products.

In 2022, the group has increasingly used URLs embedded in emails. These links direct victims to download compressed file containers, such as ISO or RAR files. If a user is tricked into opening one of these archives, a script executes that installs a Remote Access Trojan (RAT). Malware strains like AsyncRAT, Revenge RAT, and Loda have been observed, giving attackers the ability to steal data, conduct surveillance, and deploy further malicious payloads.

The ultimate goal for TA558 remains financial gain. By compromising systems within the travel industry, they can steal sensitive information for fraudulent purposes. Organizations in these sectors are urged to remain vigilant and educate staff on these evolving threats.