Espionage Program 10 Years Old

Tuesday, November 11, 2014 @ 10:11 AM gHale

“Darkhotel” espionage campaign continues on its mission to steal sensitive data from selected corporate executives travelling abroad.

Darkhotel hits its targets while they are staying in luxury hotels, said researchers at Kaspersky Lab Global Research and Analysis Team. The crew never goes after the same target twice; it operates with precision, obtaining all the valuable data they can from the first contact, deleting traces of their work and fading into the background to await the next high profile target.

BlackEnergy: Analyzing an ICS Threat
BlackEnergy Targets Linux, Routers
ICS Targeted in Malware Campaign
IOServer Fixes Resource Exhaustion Flaw

The most recent travelling targets include executives from the U.S. and Asia doing business and investing in the APAC region: Chief executives, senior vice presidents, sales and marketing directors and top R&D staff. This threat remains active, Kaspersky Lab said in a blog post.

Darkhotel, which could be up to 10 years old, maintains an effective intrusion method set on hotel networks, providing ample access over the years to systems believed to be private and secure. They wait until after check-in when the victim connects to the hotel Wi-Fi network, submitting his room number and surname to login. The attackers see the victim in the compromised network and trick the person into downloading and installing a backdoor that pretends to be an update for legitimate software, such as Google Toolbar, Adobe Flash or Windows Messenger. The unsuspecting executive downloads this hotel “welcome package,” only to infect his machine with a backdoor for the Darkhotel spying software.

Once on a system, the backdoor can further download more advanced stealing tools: A digitally-signed advanced keylogger, the Trojan ‘Karba’ and an information-stealing module. These tools collect data about the system and the anti-malware software installed on it, steal all keystrokes, and hunt for cached passwords in Firefox, Chrome and Internet Explorer; login credentials for Gmail Notifier, Twitter, Facebook, Yahoo! and Google; and other private information. Victims lose sensitive information likely to be the intellectual property of the business entities they represent. After the operation, the attackers carefully delete their tools from the hotel network and go back into hiding.

“For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior,” said Kurt Baumgartner, principal security researcher at Kaspersky Lab. “This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”

However, the malicious activity of Darkhotel can be inconsistent: it is indiscriminate in its spread of malware alongside its highly targeted attacks.

“The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT scene, where targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools,” Baumgartner said.

One way to walk away from the Darkhotel quagmire is when traveling, any network, even semi-private ones in hotels, should fall under the category as potentially dangerous. The Darkhotel case illustrates an evolving attack vector: Individuals who possess valuable information can easily fall victim to Darkhotel itself. To prevent becoming a victim, Kaspersky Lab has the following tips:
• Choose a Virtual Private Network (VPN) provider – you will get an encrypted communication channel when accessing public or semi-public Wi-Fi
• When traveling, always regard software updates as suspicious. Confirm the proposed update installer is signed by the appropriate vendor
• Make sure your Internet security solution includes proactive defense against new threats rather than just basic antivirus protection

Leave a Reply

You must be logged in to post a comment.