In November 2014, Kaspersky Lab published a report on the activities of Darkhotel, an advanced persistent threat (APT) actor that has been active for nearly eight years.
Security experts at Kaspersky have uncovered the Darkhotel espionage campaign, which involved infiltrating Wi-Fi networks in luxury hotels to compromise targeted corporate executives. It used spear phishing attacks to serve malware to victims, and nearly 90 percent of infections were detected in Japan, Taiwan, China, Russia and Korea.
Over the past year, many of these techniques and activities have been maintained, but Kaspersky Lab has also uncovered new variants of malicious executable files - the ongoing use of stolen certificates, relentless spoofing social-engineering techniques and the deployment of Hacking Team's zero-day vulnerability.
In its latest report, Kaspersky Lab highlighted that the Darkhotel has been using a zero-day vulnerability from Hacking Team's collection since the beginning of July, right after the notorious leak of Hacking Team files on July 5th. Not known to have been a client of Hacking Team, the Darkhotel group appears to have grabbed the files once they became publicly available.
Kaspersky Lab estimates that over the past few years, it may have gone through half a dozen or more zero-days targeting Adobe Flash Player, apparently investing significant money in supplementing its arsenal.
It also noted that the Darkhotel group has extended its geographical reach around the world, while continuing to spearphish targets in North and South Korea, Russia, Japan, Bangladesh, Thailand, India, Mozambique and Germany.
Delving deeper in its techniques, the Darkhotel group appears to maintain a stockpile of stolen certificates and deploys their downloaders and the backdoors signed with them to cheat the targeted system. Some of the more recent revoked certificates include Xuchang Hongguang Technology Co. Ltd., a company whose certificates were used in previous attacks performed by the threat actor.
The Darkhotel APT is also noted to be very persistent in their attacks. It tries to spearphish a target and if it doesn't succeed, it returns several months later for another try with much of the same social-engineering schemes.
With regards to the deployment of Hacking Team's zero-day exploit, the compromised website (tisone360.com) contains a set of backdoors and exploits. The most interesting of these is the Hacking Team Flash zero-day vulnerability.
"Darkhotel has returned with yet another Adobe Flash Player exploit hosted on a compromised website and this time it appears to have been driven by the Hacking Team leak. The group has previously delivered a different Flash exploit on the same website, which we reported as a zero-day to Adobe in January 2014," said Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab.
"Darkhotel seems to have burned through a pile of Flash zero-day and half-day exploits over the past few years, and it may have stockpiled more to perform precise attacks on high-level individuals globally. From previous attacks, we know that Darkhotel spies on CEOs, senior vice presidents, sales and marketing directors and top R&D staff," he added.
Sign up for MIS Asia eNewsletters.