Back to the list

Cybercrime group TA558 strikes phishing campaign against Latin America-based companies

source-logo  crypto.news 02 April 2024 09:20, UTC

Threat actor TA558 has launched a new phishing campaign targeting Latin American sectors with Venom RAT, amid rising cyber threats exploiting DarkGate and malvertising.

Cybergang TA558 is once again targeting Latin American companies and government agencies in what appears to be a massive phishing campaign aimed at installing Venom RAT, a remote access trojan.

First reported by Idan Tarab, a threat analyst at Perception Point, the campaign casts its net wide, targeting industries in Spain, Mexico, the U.S., Colombia, Portugal, Brazil, the Dominican Republic, and Argentina. Although it remains uncertain if any crypto company based in Latin America fell victim to a breach orchestrated by TA558, Tarab stressed the extensive reach of the campaign, which spans beyond hotels and travel agencies to encompass fintech, manufacturing, and industrial enterprises.

According to Tarab, the latest attack chain utilizes phishing emails as the primary means of initial access, with Venom RAT being dropped subsequently. This particular strain, a derivative of Quasar RAT, is equipped with functionalities enabling the extraction of sensitive data (e.g. passwords, photos, financial records, and etc.) and remote system control.

TA558, known for its activities since at least 2018, has a history of focusing on entities within the Latin America region, employing a range of malware including Loda RAT, Vjw0rm, and Revenge RAT.

You might also like: Over $46m lost to crypto phishing in February, social media impersonations at fault

Earlier this year, cybersecurity researchers found a new phishing toolkit dubbed CryptoChameleon, targeting Federal Communications Commission employees and staff of crypto firms including Coinbase, Binance, Gemini, Kraken, ShakePay, and Trezor.

As detailed by analysts from Lookout, the attackers employ sophisticated social engineering tactics, leveraging convincing single sign-on pages mimicking authentic ones from Okta, a cloud service provider for authentication. This multi-stage assault encompasses emails, SMS, and voice phishing to coerce victims into divulging crucial credentials and sensitive information, primarily in the U.S.

Read more: Trader loses over $674K to phishing scam