The TA558 threat group, known for targeting the travel and hospitality industries, has escalated its malicious activities. Following a period of reduced activity, likely related to COVID-19 travel restrictions, TA558 has reactivated its campaigns. These campaigns focus on sending fake reservation-related emails containing malicious links.

Security researchers are warning about the resurgence of TA558 campaigns, reminiscent of those from 2018. These attacks capitalize on the increase in airline and hotel bookings, using links that, when clicked, download malware. The evolution of TA558's tactics demonstrates a constant adaptation to security measures and industry trends.

A distinguishing feature of the most recent TA558 campaigns is the use of RAR and ISO attachments. These compressed files, when executed, decompress data and folders containing the malware. Proofpoint reported that "TA558 began using URLs more frequently in 2022," leading to container files like ISOs or ZIP files containing executables.

To infect a system, the victim must decompress the attachment. A reservation link, for example, could lead to an ISO file with a batch file that executes a PowerShell script, downloading AsyncRAT. This shift in methodology is a response to the security measures implemented by Microsoft.

Previous TA558 campaigns, tracked by Palo Alto Networks (2018), Cisco Talos (2020 and 2021), and Uptycs (2020), used malicious Microsoft Word documents (CVE-2017-11882) or remote templates to download malware. The transition to ISO and RAR files is due to Microsoft updates that disable macros by default.

In 2022, the frequency of campaigns increased significantly, distributing malware such as Loda, Revenge RAT, and AsyncRAT. Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, emphasizes that TA558 is financially motivated and uses stolen data for profit.

Since 2018, TA558 has focused its attacks on companies in the travel, hospitality, and related industries, primarily in Latin America, although also in North America and Western Europe. They use socially engineered emails, written in Spanish or Portuguese, that simulate hotel reservations.

In its early stages, the group exploited vulnerabilities in Microsoft Word's Equation Editor (CVE-2017-11882) to download RATs like Loda or Revenge RAT. In 2019, they expanded their arsenal with malicious PowerPoint attachments and injection templates, including English-language lures for the first time. TA558's most prolific period was in early 2020, with 25 malicious campaigns in January alone.

Researchers advise organizations, especially those operating in the targeted sectors in Latin America, North America, and Western Europe, to be aware of TA558's tactics, techniques, and procedures. The security of customer data and the organization itself is compromised by this type of threat.

Organizations should implement robust security measures, such as verifying the authenticity of emails and links, constantly updating software, and training staff in cybersecurity. Vigilance and prevention are key to protecting against attacks by TA558 and other threat groups.