The menacing actor known as TA558 has been attributed to a massive new phishing campaign targeting a wide range of industries in Latin America with the aim of deploying Venom RAT.
The attacks primarily targeted the hotel, travel, trade, financial, manufacturing, industrial and government sectors in Spain, Mexico, the United States, Colombia, Portugal, Brazil, the Dominican Republic and Argentina.
Active since at least 2018, TA558 has a history of targeting entities in the LATAM region to deliver a variety of malware such as Loda RAT, Vjw0rm, and Revenge RAT.
The latest infection chain, according to Perception Point researcher Idan Tarab, leverages phishing emails as an initial entry vector to take down Venom RAT, a fork of Quasar RAT equipped with capabilities to collect sensitive data and commandeer systems remotely .
The disclosure comes as threat actors have been increasingly observed using the DarkGate malware loader following law enforcement’s takedown of QakBot last year to target financial institutions in Europe and the United States.
“Ransomware groups use DarkGate to create an initial foothold and deploy various types of malware into corporate networks,” noted EclecticIQ researcher Arda Büyükkaya.
“These include, but are not limited to, information thieves, ransomware, and remote management tools. The goal of these threat actors is to increase the number of infected devices and the volume of data exfiltrated from a victim.”
It also follows the emergence of malvertising campaigns designed to deliver malware such as FakeUpdates (also known as SocGholish), Nitrogen, and Rhadamanthys.
Earlier this month, Israeli ad security firm GeoEdge revealed that a well-known malvertising group identified as ScamClub “has shifted its focus towards video malvertising attacks, resulting in an increase in VAST forced redirect volumes since 11 February 2024”.
The attacks involve the malicious use of Video Ad Serving Templates (VAST) tags, used for video advertising, to redirect unsuspecting users to fraudulent or scam pages, but only after successful passage of certain client-side fingerprinting techniques and server side.
Most victims are in the United States (60.5%), followed by Canada (7.2%), United Kingdom (4.8%), Germany (2.1%) and Malaysia (1.7%). ), among others.