TA558 Group – Threat Actor

TA558
Location	Unknown
Date of initial activity	2018
Suspected attribution	Unknown
Associated Groups	Unknown
Motivation	Financially-motivated cybercrime actor
Associated tools	Since 2018, TA558 has used at least 15 different malware families, sometimes with overlapping command and control (C2) domains. The most frequently observed payloads include Loda, Vjw0rm, AsyncRAT, and Revenge RAT.
Active	Yes

Overview

Beginning in 2018, security experts have monitored the activities of a financially-driven cybercriminal entity known as TA558, which specifically targets businesses in the hospitality, travel, and associated sectors across Latin America, sporadically extending its reach to North America and Western Europe. Utilizing a multilingual approach, the actor employs malicious emails crafted in Portuguese, Spanish, and occasionally English, often employing reservation-themed lures centered around hotel room bookings or other business-related topics. These emails serve as vectors for the distribution of various malware payloads, with at least 15 distinct types identified thus far.

Common targets

Hospitality, hotel, and travel organizations in Latin America and sometimes North America, and western Europe

Attack Vectors

Malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 different malware payloads, typically remote access trojans (RATs), that can enable reconnaissance, data theft, and distribution of follow-on payloads,” they added.

How they operate

Proofpoint initially detected TA558 in April 2018, marking the emergence of its clandestine operations. Utilizing malicious Word attachments exploiting Equation Editor vulnerabilities or remote template URLs, the group introduced malware such as Loda and Revenge RAT. These campaigns, conducted primarily in Spanish and Portuguese, targeted hospitality sectors, often themed around reservations.

Throughout 2019, TA558 persisted in leveraging Equation Editor exploits, incorporating macro-laden PowerPoint and Office documents. Its malware repertoire expanded to include Loda, vjw0rm, and Revenge RAT, while targeting expanded to encompass business services and manufacturing. Notably, the group began incorporating English-language lures related to room bookings alongside Portuguese and Spanish.

In 2020, TA558 shifted away from Equation Editor exploits, adopting malicious Office documents with macros. Despite a slight uptick in English-language lures, Portuguese and Spanish remained prevalent in reservation-themed requests. The group diversified its malware arsenal with njRAT and Ozone RAT, maintaining a focus on hotel and travel organizations.

In 2021, TA558 refined its tactics, employing Office exploits and elaborate attack chains. These efforts included masquerading as Brazilian medical cooperatives to distribute AsyncRAT. The following year witnessed a significant increase in campaign tempo, with a shift to container files and increased use of URLs to deliver payloads. Notably, TA558 temporarily pivoted away from reservation themes, utilizing QuickBooks invoice email lures to distribute RevengeRAT.

Recent developments include the adoption of steganography, dubbed SteganoAmor, to conceal malware delivery, including Agent Tesla, FormBook, and Remcos RAT. Phishing attacks targeting enterprises across multiple countries, facilitated by compromised SMTP servers and infected FTP servers, demonstrate TA558’s evolving sophistication and persistence in cyber operations.

Significant Attacks

The booking account of a hotel in Lisbon was hacked. (July 2022)
TA558 has been observed leveraging steganography as an obfuscation technique to deliver a wide range of malware. (April 2024)

References: