Recent attacks attributed to the threat actor known as TA558 have been observed targeting hotels in Brazil and Spanish-speaking regions, employing various remote access trojans (RATs) such as Venom RAT. This activity, tracked by Russian cybersecurity firm Kaspersky, is part of a broader trend referred to as "RevengeHotels."
Since at least 2015, RevengeHotels has been targeting the hospitality and travel sectors to install malware on compromised systems. The latest tactics involve phishing emails with themes related to invoices, crafted to lure recipients into downloading malware via JavaScript loaders and PowerShell scripts. Notably, a significant portion of the code used in these phishing campaigns appears to be generated by advanced language models.
Initially, the group used emails with malicious attachments like Word or Excel documents that exploited known vulnerabilities in Microsoft Office to deploy various RATs. Over time, their attack methods have evolved, with the group refining their delivery mechanisms to deploy a broader range of RAT variants.
The main objective of these attacks is to capture credit card information from guests and travelers stored within hotel systems as well as data from online travel agencies like Booking.com. Latest campaigns have involved sending deceitful emails, primarily in Portuguese and Spanish, featuring hotel reservations and job applications to entice recipients into executing harmful scripts.
The scripts, suspected to be AI-generated due to their heavily commented nature, load additional payloads, including a PowerShell script that retrieves another downloader from an external server. This downloader is responsible for fetching and executing the Venom RAT, a commercially available tool designed to steal data, act as a reverse proxy, and incorporate anti-detection mechanisms.
The Venom RAT possesses advanced capabilities to execute security circumventions by modifying system permissions, thereby ensuring uninterrupted operation. Its sophisticated anti-kill features actively target processes known to be used by security professionals and include methods to spread via removable USB drives.
Kaspersky’s findings highlight how TA558 has significantly enhanced its operational sophistication, developing new phishing methods to expand its infrastructural reach within the hospitality sector. As this group continues to evolve, the integration of AI in their techniques exemplifies the increasing complexity of cyber threats facing hospitality and tourism industries today.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.