Security Experts:

Darkhotel Attackers Target Business Travelers via Hotel Networks

A group of attackers have targeted business travelers in the Asia-Pacific region with a sophisticated cyber-espionage campaign, Kaspersky Lab said today.

Dubbed the "Darkhotel APT," the threat actors use three different malware distribution methods, including malicious Wi-Fi networks, booby-trapped P2P torrents, and highly customized spear phishing, Kaspersky Lab noted in research paper.

The Darkhotel team is "self-contradictory" in its sophistication, as the attacks use highly customized malware but the supporting infrastructure is poorly run, Kurt Baumgartner, a senior threat researcher with the company's Global Research and Analysis Team, told SecurityWeek.

Darkhotel Espionage campaigns targets users in hotelsEven though the distribution mechanisms are so different, they all tie back to the same attack team, which is most likely Korean-speaking, Baumgartner said.

Victims spanned industry sectors and in multiple countries around the globe, including members of the defense industrial base (DIB), military-related organizations, energy policy makers, governments, non-governemental organizations (NGOs), large electronics and peripherals manufacturers, pharmaceutical companies, and medical providers, saidI Kaspersky Lab. The majority of Darkhotel-infected machines appear to be located in Japan, Taiwan, China, Russia and Korea, but there are plenty of victims in other countries such as Germany, the United States, Indonesia, India, and Ireland, according to the report.

Of the three attack methods, the malicious WiFi attacks are the most interesting, Baumgartner said, calling the technique an "abuse of hotel network resources." In this scenario, a business traveler is compromised when connecting to the Wi-Fi network of the hotel he or she is staying at. After the guest enters the last name and room number to establish a connection, the attack tricks the victim into downloading the Darkhotel backdoor masquerading as a software update for popular software tools, such as Adobe Flash, Google Toolbar, or Windows Messenger. Baumgartner said the attackers were not using rogue access points to compromise the victims.

The attack team uses the backdoor to assess the victim's job role to push additional pieces of information-stealing malware on to the computer. There were attempts to steal login credentials for Yahoo Japan, Yandex, and the now-defunct encrypted email service Lavabit, for example. Other pieces had the capability to spread through the internal network via shared drives. The espionage campaign targets business travelers from different countries staying in "hotels in the APAC region," he said. Kaspersky Lab researchers found attack networks in multiple hotels across different hotel chains.

In some cases, the hotel ran its own IT operations and managed its own Wi-Fi network. In other cases, the hotels outsourced the entire operation to a third-party provider, and the providers were different from hotel to hotel. It is not clear at this point whether the hotels themselves are victims or somehow part of the attack, and there are still a lot of questions about this attack technique, Baumgartner said.

In February, Kaspersky Lab detected a spear phishing attack against users in China targeting a zero-day exploit for Adobe Reader. The email typically included topics such as nuclear energy and weaponry capabilities with either a malicious attachment or a link to a site designed to exploit vulnerable versions of Internet Explorer, according to the report. This was a good example of how attackers tend to be opportunistic and use whatever is available before working up to a more sophisticated attack, he said.

These Darkhotel attacks "pinpointed" the victims, Kaspersky Lab said.

The final attack technique used by Darkhotel is a little surprising as it relied on P2P file-sharing sites to distribute Japanese anime movies. Unlike other torrent-based attacks, the movies themselves were not injected with malware. Instead, victims were told to download a decrypting tool along with the encrypted torrent file. The exectuable was injected with malware, so decrypting the torrent file activated the malware and infected the victim machine. This package with encrypted torrent and decrypting tool executable with malware embedded was downloaded over 30,000 times in less than six months.

Unlike the other two attack methods, which targeted a specific group of victims, the P2P method generated a more diverse victim pool. Even so, the malware sorted through the victims, as it knew not to execute on researcher-machines, or on IP addresses which fell within the IP range owned by Trend Micro, Baumgartner said.

"The business executives are still susceptible as they appear to be attracted to these torrents and the delivery vector," Kaspersky Lab said in its report.

Despite the disparate attack methods, the decryptor tool and the backdoor malware used by Darkhotel were all signed with the same digital certificate, used the same command-and-control infrastructure, and shared code components, Baumgartner said. The certificates were legitimate, and not one that had been stolen from someone else, according to the report.

The Darkhotel APT threat actor has been in operation for nearly a decade—some samples of their code date back to 2007, according to Baumgartner—and is still active. The hotel attacks date back to four or five years, but the spear phishing attack was first observed this year, he said.

Considering the sophistication of the attack techniques, it was surprising the infrastructure supporting Darkhotel was fairly rudimentary, Baumgartner said. It was almost as if there were different teams running different aspects of the campaign, such as the operations team maintaining the servers and the developers working on the malware.

Kaspersky researchers had a few basic recommendations on staying safe, such as using VPN tunnels when accessing public or semi-public WiFi networks at hotels and similar places. Users should maintain and regularly update all system software, and when traveling, consider all update prompts as suspicious. Users should learn how to recognize spearphishing attacks and to treat executables downloaded from P2P networks as dangerous.

The full report from Kaspersky Lab is available online in PDF format.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.