The Darkhotel campaign, which targets business users of luxury hotels, has evolved with the use of new techniques and a previously unknown zero-day vulnerability from Hacking Team's stolen files.
In a blog post on SecureList, Kaspersky researchers said many older techniques used in the original Darkhotel advanced persistent threat (APT) attacks, including the misuse of stolen certificates, the use of .hta files and infiltrating hotel Wi-Fi networks in order to place backdoors and dupe business victims are still in use.
However, the cybercriminals controlling this campaign have ramped up their game with new strains of malicious .hta files, .rar attachments with RTLO spearphishing, the deployment of a zero-day vulnerability taken from the stolen Hacking Team archives -- and are also focusing on new targets.
According to the researchers, the Darkhotel APT has extended beyond its original geographical confines, and victims in North Korea, Russia, South Korea, Japan, Thailand, India and Germany have been detected. Originally, individuals were targeted in luxury hotels when traveling within the APAC region.
Darkhotel is now also striking diplomatic and political targets as well as commercial victims -- and is certainly persistent in this pursuit. When spearphishing -- sending fraudulent emails designed to look legitimate to specific targets in order to dupe victims into handing over credentials or download malicious code -- if one attempt fails, the threat actors will return several months later to try again.
If downloaded, executables are hidden by innocent-looking .jpg image files. If the victim attempts to view the image file, an image is dropped alongside the launch of 'mspaint.exe,' which then executes a multiline target shell script and downloads additional malicious executables.
The campaign also employs the use of malicious, java-laden .hta files as backdoor hosts and downloaders after a machine has been compromised in order to spy on its victims and potentially steal sensitive data.
According to Kaspersky, the Darkhotel group also "maintains a stockpile of stolen certificates and deploys their downloaders and the backdoors signed with them."
Darkhotel has also evolved to the point where code is generally hidden behind layers of encryption to avoid detection.
"It is likely that it has slowly adapted to attacking better-defended environments and prefers not to burn these stolen digital certificates," Kaspersky says. "In previous attacks it would simply have taken advantage of a long list of weakly implemented, broken certificates."
An interesting change within the campaign is the use of a previously unknown zero-day vulnerability lifted from Hacking Team's stolen cache of corporate files. The surveillance team's files were leaked online in July, Hacking Team's corporate files soon became the object of interest for researchers discovering new zero-day attacks against systems -- and vendors began furiously patching flaws to prevent the attacks being used in the future.
However, releasing a critical patch and ensuring the customer applies the patch are different matters altogether -- and unpatched systems are still vulnerable. Kaspersky researchers say the leaked Hacking Team zero-day is deployed through a compromised website, tisone360.com.
Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab commented:
"Darkhotel has returned with yet another Adobe Flash Player exploit hosted on a compromised website, and this time it appears to have been driven by the Hacking Team leak. The group has previously delivered a different Flash exploit on the same website, which we reported as a zero-day to Adobe in January 2014.
Darkhotel seems to have burned through a pile of Flash zero-day and half-day exploits over the past few years, and it may have stockpiled more to perform precise attacks on high-level individuals globally. From previous attacks we know that Darkhotel spies on CEOs, senior vice presidents, sales and marketing directors and top R&D staff."
Cybersecurity reads which belong on every bookshelf