Virus Type: malware, advanced persistent threat (APT)
What is the Darkhotel Threat?
The latest virus threat attack, called 'Darkhotel', has been analysed by Kaspersky Lab’s Global Research and Analysis Team. The Darkhotel threat appears to be a combination of spear phishing and dangerous malware designed to capture confidential data.
Cybercriminals behind Darkhotel have been operating for almost a decade, targeting thousands of victims across the globe. 90% of the Darkhotel infections we have seen are in Japan, Taiwan, China, Russia and Korea, but we have also seen infections in Germany, the USA, Indonesia, India, and Ireland
Virus Threat Details
How does the Darkhotel threat work?
This campaign is unusual in that it employees varying degrees of malicious targeting.
(1) Spear Phishing
At one end of the spectrum, they use spear-phishing e-mails to infiltrate defense industrial bases (DIB), governments, NGOs, large electronics and peripherals manufacturers, pharmaceutical companies, medical providers, military-related organizations and energy policy makers. The attacks follow the typical spear phishing process with thoroughly disguised Darkhotel implants. Email-lure content often includes topics like nuclear energy and weaponry capabilities. Over the past several years spear phishing emails have contained an Adobe zero-day exploit attached or links that redirect targets’ browsers to Internet Explorer zero-day exploits. Their aim is to steal data from these organisations.
(2) Malware Delivery
At the other end of the spectrum, they spread malware indiscriminately via Japanese P2P (peer-to-peer) file-sharing sites. The malware is delivered as a part of a large RAR archive that purports to offer sexual content, but installs a backdoor Trojan that gathers confidential data from the victim.
In an approach that lies somewhere between these two, they target unsuspecting executives who are traveling overseas and are staying at a hotel. Here the victims are infected with a rare Trojan that masquerades as one of several major software releases, including Google Toolbar, Adobe Flash and Windows Messenger. This first stage infection is used by the attackers to qualify their victims and download further malware to the computers of more significant victims, designed to steal confidential data from the victim's computer.
Based on a string within the malicious code, it appears that the threat points to a Korean threat actor as source of origination.
What is the significance of Darkhotel?
Notwithstanding the technical sophistication of many targeted attacks, they typically start by tricking individual employees into doing something that jeopardises corporate security. Staff with public-facing roles (e.g. senior executives, sales and marketing personnel) can be particularly vulnerable, especially since they are often on the road and are likely to use untrusted networks (e.g. at hotels) to connect to a corporate network.
Features of the Darkhotel Campaign
- Targeted attacks focused on C-level victims: CEOs, Senior Vice Presidents, Sales and Marketing Directors and top R&D staff
- The gang uses both targeted attacks and botnet-style operations. They compromise hotel networks, then stage attacks from those networks on selected high profile victims. At the same time, they use botnet style operations for massive surveillance or to perform other tasks, such as DDoS (distributed Denial of Service) attacks or to install more sophisticated espionage tools on the computers of particularly interesting victims.
- Use of zero-day exploits targeting Internet Explorer and Adobe products.
- Use of an advanced, low-level keylogger to steal confidential data.
- Malicious code signed using stolen digital certificates.
- A persistent campaign – Darkhotel has been operating for almost a decade.
How can I prevent a Darkhotel attack?
Although total prevention can be challenging, here are some tips on how to stay safe when travelling.
- If you plan on accessing public or even semi-public Wi-Fi only use trusted VPN tunnels
- Learn and understand how spear phishing attacks work
- Maintain and update all system software
- Always verify executable files and treat files shared over P2P networks with caution and suspicion
- When traveling, try to limit software updates
- Install quality Internet security software: make sure it includes proactive defense against new threats rather than just basic antivirus protection