{"id":15090,"date":"2015-08-11T18:01:03","date_gmt":"2015-08-11T18:01:03","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=4357"},"modified":"2020-12-14T13:02:21","modified_gmt":"2020-12-14T18:02:21","slug":"darkhotel-hackingteam","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/darkhotel-hackingteam\/15090\/","title":{"rendered":"Spreading the Disease: Darkhotel gets HackingTeam 0-day, but still stoppable"},"content":{"rendered":"

Kaspersky Lab experts have investigated a new series of attacks by the Darkhotel cybercriminal group. Featuring an Adobe Flash 0-day exploit from the Hacking Team breach, the attack also has a wider geographic reach. The first sighting<\/a> of Darkhotel is mostly remembered for its unusual spreading mechanism. Along with peer-to-peer and other spreading tactics, this APT has, for several years, maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.<\/p>\n

In 2015, actors\u2019 preferable techniques shifted towards persistent spear-phishing of their chosen targets. Currently, we\u2019re finding victims in other geographical regions, new variants of malicious .hta, .rar spearphishing attachments with right-to-left override (RTLO) method to fake files extensions, and the deployment of a 0-day from Hacking Team<\/a>.<\/p>\n

It\u2019s not only high profile targets, and more than the perimeter needs to be secured<\/strong><\/p>\n

Darkhotel\u2019s targeted attack modules, which infects hotel networks, show us that state-owned organizations or large enterprises with a lots of sensitive data are not the only targets. Relatively small businesses (like hotels, in this case) can become a stepping stone to reach a target, and hotels aren\u2019t the only way to aim the corporate C-level managers and their secrets through third-party organizations. So even small and medium companies have to keep the risk of targeted attacks in mind<\/strong>.<\/p>\n

Some enterprises underestimate the value of endpoint protection in their IT security strategy; Darkhotel\u2019s victims could tell a lot about just how important endpoints security is. Portable, mobile devices aren\u2019t always used inside the perimeter; outside the corporate environment<\/strong>, endpoints connecting through unknown wired and wireless networks, should be properly protected<\/strong>.<\/p>\n

How the disease is spreading<\/strong><\/p>\n

Now spreading to North and South Korea, Russia, Japan, Thailand and Germany, among others, Dark Hotel begins with a spearphishing or drive-by infection that exploits the Adobe Flash 0-day.<\/p>\n

Some targets are spearphished repeatedly using similar social-engineering schemes. Darkhotel consistently archives droppers (.scr executable files with faked extensions using RTLO) within .rar archives, in order to appear to the target as innocuous .jpg files.<\/p>\n

\"To

To check what type it really is, switch to Details view<\/p><\/div>\n

In addition to using the leaked Adobe Flash 0day to target specific systems, less targeted methods \u2013 including malicious web sites (e.g. \u201ctisone360.com\u201d) \u2013 are being used to spread the attack. Like the Hacking Team 0-day, it looks as though the \u201ctisone360.com\u201d site was also delivering a Flash CVE-2014-0497 exploit. Detailed attack information is available here<\/a>.<\/p>\n

Kaspersky Lab technologies to fight Darkhotel successfully<\/strong><\/p>\n

A full list of measures available to mitigate targeted attacks can be found here<\/a>. Kaspersky Lab supports the majority of these measures and recommends implementing as many of them as possible. We detect new Darkhotel downloaders and infostealers with the verdict \u201cTrojan.Win32.Darkhotel.*\u201d, spearphishing attachments are detected as \u201cTrojan-Dropper.Win32.Dapato.*\u201d and \u201cTrojan-Downloader.Win32.Agent.*\u201d<\/p>\n

0-day prevention<\/strong><\/p>\n

Darkhotel\u2019s lightly obfuscated .hta files, used for initial penetration, are detected using emulation<\/strong> with the \u201cHEUR:Trojan.Script.Iframer\u201d verdict. Heuristic algorithms exist for previously unknown malware samples that cannot be detected using databases. Such algorithms are based on the knowledge of both structure and emulated behavior typical patterns.<\/p>\n

Kaspersky Lab\u2019s Automatic Exploit Prevention<\/strong><\/a> functionality is designed to fight exploits, including 0-days, and is highly effective at detecting Darkhotel components. Heuristics and Automatic Exploit Prevention in Kaspersky Lab\u2019s advanced antimalware engine is a crucial part of a multilayered, comprehensive defense.<\/p>\n

Apply patches in time<\/strong><\/p>\n

Regularly updating to the latest version of installed software and patching OS will help prevent a vast range of attacks. Timely patching is most easily achieved using a Patch Management toolkit, such as \u00a0Kaspersky Lab\u2019s, working together with or instead of Microsoft WSUS. Vulnerability Assessment<\/strong> and Patch Management[1]<\/sup><\/strong><\/a><\/strong> combined will also update all popular third-party software to the latest versions.<\/p>\n

Stolen certificates<\/strong><\/p>\n

Like other current Advanced Threat groups, Darkhotel uses stolen certificates to give their modules the appearance of trusted apps. Trust in files is based on their reputation and digital signatures play a big role in gauging reputation. But a digital signature by itself is not enough to create trust. Kaspersky Lab products detect digitally signed malware<\/strong>.<\/p>\n

Compromised Wi-Fi network start pages<\/strong><\/p>\n

The most interesting initial penetration technique in the Darkhotel campaign is its infection of hotels\u2019 startup web pages. Targets, including high-level managers, are infected immediately after authentication with luxury hotel local WiFi networks. This attack vector could be successfully mitigated by enabling Web Anti-Virus in <\/strong>Kaspersky Endpoint Security<\/strong><\/a> policy.<\/strong><\/p>\n

Control servers known URLs<\/strong><\/p>\n

When command and control (CnC) servers of any targeted attack are determined we add their addresses into our security database. Kaspersky Lab clients can obtain all the current information about active CnC servers from our special data feed<\/strong><\/a>. This feed could be used (e.g. in customer\u2019s SIEM system) to alert system administrators of\u00a0any communications with these malicious servers.<\/p>\n

Malicious e-mail attachments<\/strong><\/p>\n

Despite all the new ingenious ways to infect hosts, spear-phishing with disguised malicious attachments is still by far the most popular method for malefactors. All Kaspersky Endpoint Security for Business<\/a> product installations protect hosts from this malware propagation technique. Organizations can also deploy Kaspersky Security for Linux Mail Server<\/strong> or Kaspersky Security for MS Exchange<\/a> centrally to secure business e-mail traffic on the server side.<\/p>\n