seven-year-old cyber espionage campaign has targeted senior level executives from large global companies by using a specialized Advanced Persistent Threat (APT), zero-day exploits, and well-developed keyloggers to extract information from them when they stay in luxury hotels during their business trips.
The researchers at Moscow-based security firm Kaspersky Lab dubbed the threat as “DarkHotel APT,” appear to have the ability to know in advance when a targeted executive checks in and checks out of a hotel.
The group has been operating in Asia since from 2009 but there have been infections recorded in the United States, South Korea, Singapore, Germany, Ireland and many others, as well. It uses hotel Wi-Fi networks to target elite executives at organisations in manufacturing, defense, investment capital, private equity, automotive and other industries.
The group has access to zero day vulnerabilities and exploits, and it used them to infect victims. Threat actors use three different malware distribution methods including malicious Wi-Fi networks, booby-trapped P2P torrents, and highly customized spear phishing, Kaspersky Lab reported in research paper.
When the target executives connect their devices to the hotel’s Wi-Fi or wired Internet access, they are shown bogus software updates, typically something that looks legitimate, for Adobe Flash, Google Toolbar, or Windows Messenger. But these updates also contain a type of malware called a Trojan dropper bundled with moremalware.
“When unsuspecting guests, including situationally aware corporate executives and high-tech entrepreneurs, travel to a variety of hotels and connect to the internet, they are infected with a rare APT Trojan posing as any one of several major software releases,” the researchers wrote in a report published Monday. “These might be GoogleToolbar, Adobe flash, Windows Messenger, etc. This first stage of malware helps the attackers to identify more significant victims, leading to the selective download of more advanced stealing tools.“
“At the hotels, these installs are selectively distributed to targeted individuals. This group of attackers seems to know in advance when these individuals will arrive and depart from their high-end hotels. So, the attackers lay in wait until these travelers arrive and connect to the internet.“
The trojan dropper then installs various keyloggers and other tracking applications in order to track each of the victim’s keystrokes and scan browsers for saved passwords, exposing a wealth of trade secrets and other secret information to the Darkhotel group.
In addition, the Darkhotel malware has ability to manipulate trusted digital certificates by factoring the underlying private keys of the cloned certificates generated using 512-bit md5 keys. The ability of attackers to factor the weak keys for use in such malware attacks has long been known, as advisories issued from Fox-IT, Microsoft, Mozilla, and Entrust warned in 2011.
“All related cases of signed Darkhotel malware share the same Root Certificate Authority and Intermediate Certificate Authority that issued certificates with weak md5 keys (RSA 512 bits),” Monday’s Kaspersky report stated. “We are confident that our Darkhotel threat actor fraudulently duplicated these certificates to sign its malware. These keys were not stolen.“
The Dark Hotel malware operating group have also recently stolen third-party certificates to sign their malware.
In order to protect your device, the easiest way for you is to avoid connecting to hotel Wi-Fi networks or to any other public or untrusted networks, and instead, use your mobile device hotspot to get access to the Internet.