According to Bitdefender, DarkHotel APT is back and it is targeting government employees with an interest in North Korea with a technique dubbed inexsmar.
According to the security firm Bitdefender, the DarkHotel APT is back and it is targeting government employees with an interest in North Korea with new techniques.
The hackers’ victims have been discovered in several countries, including North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, Taiwan, China, the United States, India, Mozambique, Indonesia and Germany.
The first Darkhotel espionage campaign was spotted by experts at Kaspersky Lab in late 2014, according to the researchers the APT group has been around for nearly a decade while targeting selected corporate executives traveling abroad. According to the
According to the experts, threat actors behind the Darkhotel campaign aimed to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.
The attackers appeared high skilled professionals that exfiltrated data of interest with a surgical precision and deleting any trace of their activity. The researchers noticed that the gang never go after the same target twice. The list of targets includes CEOs, senior vice presidents, top R&D engineers, sales and marketing directors from the USA and Asia traveling for business in the APAC region.
Security researchers believe the APT group members are Korean speakers.
The attackers leveraged several methods to hack into the target systems, including zero-day exploits and used as the attack vectors peer-to-peer (P2P) file sharing websites and hotel’s Wi-Fi.
Now the Darkhotel group was using new attack methods and an exploit leaked from Italian surveillance firm Hacking Team.
The attack technique used in recent attacks was dubbed Inexsmar and it was observed in targeted attacks against political figures.
“Our threat researchers have come across a very particular DarkHotel attack known as Inexsmar, which appears to mark a significant departure from the APT group’s traditional modus operandi. This sample dates back to September 2016 and seems to be used in a campaign that targets political figures rather than the usual corporate research and development personnel, CEOs and other senior corporate officials.” reads the analysis published by BitDefender.
“This attack uses a new payload delivery mechanism rather than the consacrated zero-day exploitation techniques, blending social engineering with a relatively complex Trojan to infect its selected pool of victims.”
Hackers spread a Trojan downloader via phishing emails, the malicious code is used to gather information on the infected device and sends it back to attackers. If the infected systems meet specific requirements a first stage downloader, disguised as a component of OpenSSL, is fetched. In this phase, the malicious code opens a document titled “Pyongyang e-mail lists – September 2016,” that contains email contacts for various organizations in Pyongyang.
The attack stops if the requirements are not satisfied, otherwise, another payload is delivered.
Unfortunately, at the time of the investigation, the C&C server was offline and researchers were not able to collect further details about the attack.
The use of a multi-stage downloader represents the major improvement compared to the use of exploits because it allows attackers to improve the distribution and the update of the malware.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.