The threat actor identified as TA558 has been linked to a new huge phishing effort. It targets a variety of industries in Latin America to distribute Venom RAT.

The assaults primarily targeted hotel, travel, trade, banking, production, industrial, and government sectors. All of these sectors are located in Spain, Mexico, the United States, Colombia, Portugal, Brazil, the Dominican Republic, and Argentina.

TA558 has been active since at least 2018. It has been targeting entities in the LATAM area with various viruses. These viruses are - Loda RAT, Vjw0rm, and Revenge RAT.

According to Perception Point researcher Idan Tarab, “The current infection chain utilizes phishing emails as an initial access vector. It delivers Venom RAT, a Quasar RAT derivative. Venom RAT has the capability to extract sensitive data. It can also remotely take over devices.”

The discovery comes as threat actors have been seen increasingly leveraging the DarkGate malware loader. The main purpose behind doing so was to attack financial institutions in Europe and the United States. The duration of this attack was the law enforcement removal of QakBot last year.

As per the opinion of EclecticIQ analyst Arda Büyükkaya,” Ransomware groups use DarkGate to establish an initial presence and deploy multiple kinds of malware in company networks."

“These include data theft, ransomware, and remote management tools. These threat actors aim to increase the number of infected devices and the amount of exfiltrated data from victims.”

It also comes with the introduction of malvertising campaigns. It distributes malware, such as FakeUpdates (aka SocGholish), Nitrogen, and Rhadamanthys.

Earlier this month, Israeli ad security firm GeoEdge discovered that “a renowned malvertising organization called ScamClub has shifted its focus towards video fraudulent advertising attacks. Since February, the volumes of VAST-forced diverts initiated by ScamClub have increased significantly.”

The attacks utilize malicious Video Ad Serving Templates (VAST) tags in video advertising. These tags are used for redirecting unwary viewers to fraudulent or scam URLs. However, this redirection only occurs after the implementation of specific client-side and server-side fingerprinting methods.

The bulk of the victims (60.5%) live in the United States, followed by Canada (7.2%), the United Kingdom (4.8%), Germany (2.1%), and Malaysia (1.7%), among others.