Darkhotel APT group relied also on Hacking Team’s exploits

Kaspersky revealed provided an update of the report on the Darkhotel APT that targets executives traveling across Asia through hotel internet networks.

In November 2014, Kaspersky Lab published a report on the activities of the Darkhotel APT group. Security experts at Kaspersky Lab uncovered the Darkhotel espionage campaign, which is ongoing for at least four years while targeting selected corporate executives traveling abroad. According to the experts threat actors behind the Darkhotel campaign aim to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.

According to the experts, the APT group, which appears to be Korean speaker, used surgical spear phishing attacks to serve malware to victims.

The report issued in 2014 revealed that nearly 90% of infections were detected in the top five countries, Japan, Taiwan, China, Russia and Korea.

d1

According to an update provided by Kaspersky Lab, the organizations targeted by the DarkHotel APT in 2015 are located in North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, India, Mozambique and Germany.

It’s interesting to note that Darkhotel’s phishing emails contained links to Flash Player exploits disclosed following the data breach suffered by the Hacking Team surveillance firm.

“…at the beginning of July, it began to distribute what is reported to be a leaked Hacking Team Flash 0day. It looks like the Darkhotel APT may have been using the leaked HackingTeam Flash 0day to target specific systems. We can pivot from “tisone360.com” to identify some of this activity. ” Kaspersky wrote in a blog post.

The DarkHotel APT has been using obfuscated HTML Application (HTA) files to serve backdoor and downloader code on infected systems since 2010, now security experts discovered new variants of the malicious HTA files.

“It’s somewhat strange to see such heavy reliance on older Windows-specific technology like HTML applications, introduced by Microsoft in 1999,” experts noted.

The hackers also improved the obfuscation techniques using more efficient evasion methods, in one case analyzed by the experts a signed downloaders was developed to detect known antivirus solutions.

The spear-phishing emails used by the Darkhotel group contain .rar archives that appear to contain a harmless .jpg file. In reality, the file is a .scr executable that appears like a JPEG using a technique known as right-to-left override (RTLO). When the file is opened, an image is displayed in the Paint application, while the malicious code is executed in the background.

Another novelty for the espionage campaign run by the Darkhotel APT group is the use of stolen digital certificates that are used to sign malware.

“The group appears to maintain a stockpile of stolen certificates and deploys their downloaders and the backdoors signed with them. Some of the more recent revoked certificates include ones that belong to Xuchang Hongguang Technology Co. Ltd. Darkhotel now tends to hide its code behind layers of encryption. It is likely that it has slowly adapted to attacking better-defended environments and prefers not to burn these stolen digital certificates,” Kaspersky said.

Stay Tuned, Kaspersky will continue to follow the DarkHotel APT.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW

10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase

X