Cybercrime group TA558 strikes phishing campaign against Latin America-based companies

A cybercriminal group called TA558 has started a fresh phishing attack, this time focusing on organizations in the Latin American region. In this campaign, they employ Venom RAT (Remote Access Trojan) to gain unauthorized access to systems. With cybercrimes using DarkGate and malvertising becoming increasingly common, this is a concerning development.

Cybercriminal group Cybergang TA558 has launched another large-scale phishing attack, this time focusing on Latin American businesses and public institutions. The objective is believed to be the installation of Venom RAT, a type of malicious software that grants unauthorized remote access.

According to Idan Tarab, a threat analyst at Perception Point, the TA558 cybercampaign has a broad scope, potentially affecting businesses in Spain, Mexico, the US, Colombia, Portugal, Brazil, the Dominican Republic, and Argentina. It’s unclear if any Latin American crypto companies have been breached by this group, but Tarab emphasized the campaign’s far-reaching impact, extending beyond hotels and travel agencies to target fintech, manufacturing, and industrial enterprises.

Based on Tarab’s findings, the new cyberattack method starts with sending phishing emails to gain access. Once recipients fall for the trap and open the malicious email attachment, Venom RAT is installed. This version of the Rat (Remote Access Trojan), which is an offshoot of Quasar RAT, comes armed with capabilities to steal sensitive data such as passwords, photos, financial records, among other things, and allows remote control of infected systems.

Since at least 2018, TA558, which is well-known for its activities, has primarily targeted organizations in the Latin American area. They utilize various types of malware in their operations, such as Loda RAT, Vjw0rm, and Revenge RAT.

Recently, it was discovered by cybersecurity experts a new phishing kit named CryptoChameleon. This toolkit has been attempting to deceive employees of the Federal Communications Commission and staff members from crypto companies such as Coinbase, Binance, Gemini, Kraken, ShakePay, and Trezor.

According to experts at Lookout, the hackers use advanced social engineering methods. They create deceitful single sign-on pages that closely resemble genuine ones from Okta, a well-known cloud authentication service. In this complex attack, victims receive emails, text messages, and phone calls trying to trick them into revealing valuable login credentials and confidential data, mainly in the United States.

Read More

2024-04-02 12:06