Security experts at Kaspersky Lab uncovered the Darkhotel espionage campaign, which is ongoing for at least four years while targeting selected corporate executives traveling abroad. According to the experts, threat actors behind the Darkhotel campaign aim to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.
The attackers appear high skilled professionals that exfiltrate data of interest with a surgical precision and deleting any trace of their activity, the researchers noticed that the gangs never go after the same target twice. The list of targets includes CEOs, senior vice presidents, top R&D engineers, sales and marketing directors from the USA and Asia traveling for business in the APAC region.
As reported in the following chart nearly 90% of infections were detected in the top five countries, Japan, Taiwan, China, Russia and Korea.
The Darkhotel hackers target their victims while accessing to the hotel networks, they wait until the victim connects to the internal Wi-Fi providing his room number and surname to log in. Once logged in, the attackers trick the company executive into downloading and installing a malware that pretends to be an update for the legitimate software, such as Adobe Flash, Google Toolbar, and Windows Messenger.
Once the victims have installed the backdoor, the Darkhotel actor uses it to download further malicious payload and data stealing tools, including a digitally-signed advanced keylogger, the Trojan ‘Karba’ and an information-stealing module.
“When unsuspecting guests, including situationally aware corporate executives and high-tech entrepreneurs, travel to a variety of hotels and connect to the internet, they are infected with a rare APT Trojan posing as any one of several major software releases. ” states the report from Kaspersky Lab.
Darkhotel crew arsenal includes tools that are able to collect a huge quantity of user data, including keystrokes and cached passwords in most popular browsers. The attackers also search login credentials for principal web services, including Google, Gmail Notifier, Twitter, Facebook, and Yahoo!. The threat actors once siphoned all the necessary data, are able to carefully delete their tools from the hotel network and disappear.
“For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior. This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.” said Kurt Baumgartner, principal security researcher at Kaspersky Lab. “The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT scene, where targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools,” added Baumgartner.
Kurt Baumgartner highlighted the Darkhotel APT’s indiscriminate backdoor spreading citing way it is delivered as part of a large archive. The Darkhotel APT has indiscriminately infected systems trusted and untrusted resources.
“An example of the Darkhotel APT’s indiscriminate malware spreading is demonstrated by the way it seeds Japanese p2p sharing sites, where the malware is delivered as a part of a large (approximately 900mb) rar archive. The archive is also spread over bittorrent, as detailed below. Darkhotel uses this method to distribute their Karba Trojan. These Japanese archives, translated for Chinese speaking viewers, appear to be sexual in nature, part of an anime sex/military comic scene, exposing the likely interests of potential targets. ” is written in the report.
According to the finding proposed in the report, the Darkhotel crew also occasionally used 0-day exploits when required.
“This crew occasionally deploys 0-day exploits, but burns them when required. In the past few years, they deployed 0-day spear-phishing attacks targeting Adobe products and Microsoft Internet Explorer, including CVE-20100188. In early 2014, our researchers exposed their use of CVE-20140497, a Flash 0-day described on Securelist in early February.”
When executives are traveling abroad are obviously more exposed to cyber threats, The Darkhotel campaign is just the tip of the iceberg, many other attacks are daily managed by criminal gangs and Intelligence agencies worldwide.
Expert at Kaspersky Lab provided the following tips to avoid falling victim of the scams.
(Security Affairs – (Darkhotel, cyber espionage)