TA558

Description

(Proofpoint) Since 2018, Proofpoint has tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe. The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 different malware payloads, typically remote access trojans (RATs), that can enable reconnaissance, data theft, and distribution of follow-on payloads.

Names

Name	Name-Giver
TA558	Proofpoint

Country

• Unknown

Motivation

• Financial crime

First Seen

2018

Observed Sectors

• Construction
• Education
• Energy
• Financial
• Government
• Hospitality
• Industrial
• IT
• Pharmaceutical
• Transportation

Observed Countries

• Algeria
• Argentina
• Brazil
• Bulgaria
• Chile
• Colombia
• Costa Rica
• Czech
• Dominican Republic
• Ecuador
• Germany
• Guatemala
• India
• Indonesia
• Lebanon
• Macedonia
• Mexico
• Morocco
• Pakistan
• Peru
• Poland
• Romania
• Russia
• Serbia
• Slovenia
• South Korea
• Spain
• Thailand
• Turkey
• Uruguay
• USA

Tools

• AsyncRAT
• AZORult
• Loda
• njRAT
• RemcosRAT
• Vjw0rm
• RevengeRAT
• XtremeRAT

Operations

• 2023-06: SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/

Information

• https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel

Other Information

Uuid

2a612bf1-4cfd-436e-90d5-e104966d1f50

Last Card Change

2024-04-22