Darkhotel: Following the public leak of records of Hacking Team, a company known to sell "legitimate" spyware to some government agencies and law enforcement agencies, several digital espionage teams have begun to use, for their own malicious purposes, tools that supply the Hacking Team to its customers to carry out attacks. 
These include many exploits directed against it Adobe Flash Player and the Windows operating system. At least one of them has been used by the group "Darkhotel", A powerful player of digital espionage.
Kaspersky Lab has discovered that the elite "Darkhotel" espionage team, which was revealed by 2014's 5 specialists and renowned for penetrating Wi-Fi luxury hotels networks targeting selected business executives, uses a zero-day vulnerability from the Hacking Team's collection from early July, right after the infamous Hacking Team file leak at July XNUMX.
Not being known as a client of Hacking Team, the Darkhotel team appears to have taken possession of the archives, μόλις αυτά διέρρευσαν δημοσίως.
This isn't the only zero-day vulnerability the team is using. Kaspersky Lab estimates that in recent years it may have encountered six or more preletterthe zero-day exploits targeting Adobe Flash Player, a fact that obviously testifies that the operator is investing significant sums to strengthen its "arsenal".
2015, the Darkhotel team has expanded its geographic reach across the globe, while continuing to target targets in North and South Korea, Russia, Japan, Bangladesh, Thailand, India, Mozambique and Germany.
Side-by-side help from the Hacking Team
Security researchers from Kaspersky Lab have recorded new techniques and activities of the Darkhotel, a well-known APT attacker, operating for nearly eight years. In attacks from 2014 before, the team used stolen code signature certificates and adopted unusual methods, such as the Wi-Fi networks of hotels, to target spyware in their target systems.
2015, many of these techniques and activities have been retained, but Kaspersky Lab has also discovered new variants of malicious executable files, continued use of stolen certificates, uninterrupted use of social engineering techniques, and the use of zero-day vulnerability programs by Hacking Team.
- Continued use of stolen certificates: The Darkhotel group seems to keep a stock of stolen certificates and uses downloaders and backdoors that have the corresponding signatures to trick the target system. Most recently revoked certificates include those of Xuchang Hongguang Technology Co.Ltd., A company whose certificates were used in previous attacks by the threatening organization.
- Relentless Side Attacks: The APT attack Darkhotel is indeed persistent. It tries to attack the target via backdoors and if it doesn't succeed, it returns a few months later, using roughly the same social engineering techniques.
- Hacking Team's zero-day vulnerability exploitation: The malicious website, tisone360.com, contains a number of backdoors and exploits. The most interesting of these is the zero-day vulnerability of Hacking Team Flash.
"The Darkhotel team has returned with yet another program exploit for Adobe Flash Player, which is hosted on a broken site. This time, it seems that this program has come from the leaks of the Hacking Team. The team had previously used a different Flash exploit, which we mentioned as a zero-day vulnerability in Adobe in January of 2014.
Darkhotel seems to have been in possession of a lot of zero-day and half-days exploit programs in recent years, and may have amassed even more to carry out specific attacks against high-ranking officials. "We know from previous attacks that the Darkhotel team is spying on CEOs, executive vice presidents, sales and marketing executives and top R&D executives." said Kurt Baumgartner, Principal Security Researcher of Kaspersky Lab.
Από το 2014, η ομάδα έχει βελτιώσει τις αμυντικές τεχνικές της, επεκτείνοντας – για παράδειγμα – τη λίστα τεχνολογιών αντι-detectionς. Η έκδοση του 2015 του Darkhotel downloader έχει σχεδιαστεί για να εντοπίζει τις antivirus τεχνολογίες 27 παρόχων λύσεων, με στόχο την παράκαμψη τους.
More information is available on the site Securelist.com.
General information on mitigating APT attacks is available to a specialist post of Kaspersky
