A hacker (codenamed TA558) has increased its phishing attacks this year. They are aimed at various hotels and companies in the hospitality and travel sector. The attacks are also in Spain and, in fact, after the Portuguese language, Spanish is the most used by this hacker.





The threat actor uses a set of 15 different malware families, typically Remote Access Trojans (RATs), to gain access to target systems and then be able to carry out surveillance taskssteal key data and siphon off customers’ money.

TA558 has been active since at least 2018, but Proofpoint, the company that discovered this phishing, has recently seen an uptick in its activities this summer 2022, possibly related to the huge increase in tourism after two years of COVID-19 restrictions. In fact, this sector is being targeted and not only with this phishing. A few days ago we met

How are the techniques of this phishing





Phishing emails that have been discovered and that start the chain of infection they are written in English, Spanish and Portuguese. They target companies in North America, Western Europe and Latin America.

In the mail, the sender says that he wants to carry out a reservation at a hotel or a travel company. The hacker claims to be a conference organizer, tourist office agents, and the like, who are going to bring many people to that hotel or travel service.

Victims who click on the URL in the body of the message, which is supposed to be a link to proceed with the reservation, will receive an ISO file of a remote resource. The file launches a PowerShell script that finally drops the RAT payload on the victim’s computer and creates a scheduled task.

After hotel systems are compromised with RAT malware, TA558 enters the network to steal customer data, credit card details stored and modify customer-facing websites to divert payments from reservations.

New techniques versus Microsoft

In 2022, TA558 moved from using macro documents in their phishing emails and adopted RAR and ISO attachments or embedded URLs in the messages. According to Bleeping Computer, this type of threat is beginning to be used more in response to Microsoft decision to block VBA and XL4 macros in Officewhich hackers historically used to upload, drop, and install malware via malicious documents.

Thefts can involve large amounts of money: Last July, the Marino Boutique Hotel in Lisbon, Portugal, had its Booking.com account hacked, and the intruder stole 500,000 euros in just four days from unsuspecting customers who had paid to reserve a room. It is not known if it has been with this phishing, at the moment, but it is believed that it could be.