Click the link. ‘Confirm your reservation.’ Boom—AsyncRAT’s burrowing into your laptop, courtesy of TA558.
These clowns never quit. After COVID grounded everyone, this threat group—tracked since 2018—smells blood in the skies. Travel’s booming. Bookings up. And here’s TA558, Portuguese phishing pros, spamming fake hotel emails like it’s 2019 all over again.
Proofpoint nailed it in their report. TA558’s evolved. No more lazy Word macros. Now it’s RAR and ISO attachments—compressed nasties that unzip straight to hell if you’re dumb enough to double-click.
“TA558 began using URLs more frequently in 2022. TA558 conducted 27 campaigns with URLs in 2022, compared to just five campaigns total from 2018 through 2021. Typically, URLs led to container files such as ISOs or zip [RAR] files containing executables,” Proofpoint wrote.
That’s a 5x jump, folks. From sleepy to hyperactive.
Why the RAR/ISO Switcheroo?
Microsoft got smart—kinda. Late 2021, they started nuking Office macros by default. VBA? XL4? Dead on arrival for most users. TA558 shrugged. Pivoted to archives. RAR and ISO look innocent. Download the ‘reservation confirmation.’ Execute. Watch PowerShell summon the RAT demons.
AsyncRAT. Loda. Revenge RAT. Pick your poison. These remote access trojans don’t mess around—recon, steal data, drop more crap. Financial motive? Obvious. Steal creds from travel firms in Latin America, North America, Europe. Or hit you, the hapless customer, for your card details.
Sherrod DeGrippo at Proofpoint spells it out: “Its possible compromises could impact both organizations in the travel industry as well as potentially customers who have used them for vacations.”
Yeah. Your dream vacay funds? Gone.
Picture this: 2018. TA558’s debut. Equation Editor exploits in Word—CVE-2017-11882. Classic. By 2020, 25 campaigns in January alone. Macros everywhere. English lures creep in. But post-pandemic lull? Smart. Waited for the rebound.
Now? URLs galore. Attachments too. Subject: “reserva.” Smells fishy if you’re paying attention—which most aren’t.
TA558’s Rap Sheet: A Hall of Shame
Palo Alto in 2018. Cisco Talos 2020-21. Uptycs 2020. All clocked these guys. Social engineering masters. Emails in Portuguese, Spanish. Hotel bookings as bait. Always.
They hit hospitality hard. Latin America primary. North America, Western Europe secondary. Why? Juicy payment data. Weak security in smaller firms.
But here’s my hot take—the one nobody’s saying: This reeks of 1990s Nigerian 419 scams, upgraded for the ZIP-file era. Back then, faxed letters promised millions. Now? RATs exfil your bank. Same greed, fancier wrapper. And with holidays looming, bet on a surge. Black Friday flights? Cyber Monday hotels? Prime phishing season.
Organizations get the memo: Patch. Train staff. But travelers? You’re on your own. That ‘urgent confirmation’ email at 2 a.m.? Trash it.
How Bad Is This Really?
Medium-high confidence it’s money-grabbers, per Proofpoint. Not nation-state drama. Just crooks scaling up. Steal data, cash out.
Victims decompress the archive. BAT file fires. PowerShell downloads the payload. Game over.
Past tricks? Word docs with remote templates. PowerPoint macros. All neutered by Big Mike. Good. But archives? Antivirus struggles sometimes—especially if it’s a fresh variant.
And the tempo? 2022 exploded. Mix of RATs. Delivery chaos: URLs, RARs, ISOs, even lingering Office docs.
Look, travel industry’s a sitting duck. Uptick in bookings means spike in scams. TA558 knows it. We should too.
Is Your Next Booking a Trap?
Short answer: Maybe.
Check sender. Gmail for Hilton? Nope. Hover links—don’t click. URL to iso.exe? Run.
Enable macro blocks. Use endpoint protection that scans archives. MFA everywhere.
But humans gonna human. Tired traveler, jet-lagged brain. One slip.
Proofpoint urges awareness. Especially LatAm firms. But hey, North Americans—don’t sleep on it.
This isn’t new. It’s persistent. TA558 adapts faster than Microsoft patches. Expect more. Worse.
Dry humor time: Next time you book that beach escape, remember— the real tropical storm might be in your Downloads folder.
Unique angle? Unlike Proofpoint’s straight threat intel, I’m calling the parallel: These aren’t innovators; they’re 419 princes with compression software. Predict: Q4 2023 campaigns double, riding holiday hype. PR spin from security firms? Minimal. They’re just reporting. Travelers need the wake-up.
🧬 Related Insights
- Read more: 87% of Teams Boast Zero-Downtime Deploys—Error Spikes Tell Another Story
- Read more: Romanian Lawyers Face AI Reckoning: Adapt Fast or Fade Away
Frequently Asked Questions
What is TA558 and how do they attack?
TA558 is a financially motivated threat group targeting travel firms since 2018. They send fake reservation emails in Portuguese/Spanish with RAR/ISO links that drop RAT malware like AsyncRAT.
How to spot fake hotel reservation phishing?
Watch for generic subjects like ‘reserva,’ suspicious domains, archive attachments. Hover links. Verify via official site or phone.
Is TA558 only targeting Latin America?
Primarily yes, but North America and Europe too. Post-COVID, campaigns hit anywhere with travel bookings.
