Darkhotel: Έπειτα από τη δημόσια διαρροή αρχείων της Hacking Team, companyς που έγινε γνωστή για την πώληση «νόμιμου» spyware σε ορισμένους κυβερνητικούς φορείς και διωκτικές αρχές, αρκετές ομάδες ψηφιακής κατασκοπείας έχουν αρχίσει να χρησιμοποιούν, για τους δικούς τους κακόβουλους σκοπούς, εργαλεία που προμήθευε η Hacking Team στους πελάτες της, για να πραγματοποιούν επιθέσεις. 
These include several exploits directed against Adobe Flash Player και του λειτουργικού Windows. Τουλάχιστον ένα από αυτά έχει χρησιμοποιηθεί από την team «Darkhotel", A powerful player of digital espionage.
Kaspersky Lab has discovered that the elite "Darkhotel" espionage team, which was revealed by 2014's 5 specialists and renowned for penetrating Wi-Fi luxury hotels networks targeting selected business executives, uses a zero-day vulnerability from the Hacking Team's collection from early July, right after the infamous Hacking Team file leak at July XNUMX.
As it is not known as a Hacking Team customer, the Darkhotel team seems to have taken possession of the records as they leaked publicly.
This is not the only zero-day vulnerability that the team uses. Kaspersky Lab estimates that in recent years it may have encountered six or more zero-day exploits for Adobe Flash Player, which obviously shows that the organization is investing significant amounts to boost its "arsenal".
2015, the Darkhotel team has expanded its geographic reach across the globe, while continuing to target targets in North and South Korea, Russia, Japan, Bangladesh, Thailand, India, Mozambique and Germany.
Side-by-side help from the Hacking Team
Security researchers from Kaspersky Lab have recorded new techniques and activities of the Darkhotel, a well-known APT attacker, operating for nearly eight years. In attacks from 2014 before, the team used stolen code signature certificates and adopted unusual methods, such as the Wi-Fi networks of hotels, to target spyware in their target systems.
2015, many of these techniques and activities have been retained, but Kaspersky Lab has also discovered new variants of malicious executable files, continued use of stolen certificates, uninterrupted use of social engineering techniques, and the use of zero-day vulnerability programs by Hacking Team.
- Συνεχής χρήση κλεμμένων πιστοποιητικών: Η ομάδα Darkhotel φαίνεται να διατηρεί ένα απόθεμα κλεμμένων πιστοποιητικών και χρησιμοποιεί downloaders και backdoors που διαθέτουν τις αντίστοιχες υπογραφές, ώστε να εξαπατήσουν το στοχευόμενο σύστημα. Στα πιστοποιητικά που έχουν ανακληθεί πιο πρόσφατα περιλαμβάνονται αυτά της Xuchang Hongguang Technology Co.Ltd., εταιρεία της οποίας τα πιστοποιητικά χρησιμοποιήθηκαν σε προηγούμενες επιθέσεις του απειλητικού φορέα.
- Uninterrupted Side Attacks: DarkTh Attack Attack is indeed persistent. He tries to attack the target through sideways and if he does not, he returns a few months later, using about the same techniques of social engineering.
- Hacking Team's zero-day vulnerability exploitation: The malicious website, tisone360.com, contains a number of backdoors and exploits. The most interesting of these is the zero-day vulnerability of Hacking Team Flash.
"The Darkhotel team has returned with yet another program exploit for Adobe Flash Player, which is hosted on a broken site. This time, it seems that this program has come from the leaks of the Hacking Team. The team had previously used a different Flash exploit, which we mentioned as a zero-day vulnerability in Adobe in January of 2014.
Darkhotel seems to have been in possession of a lot of zero-day and half-days exploit programs in recent years, and may have amassed even more to carry out specific attacks against high-ranking officials. "We know from previous attacks that the Darkhotel team is spying on CEOs, executive vice presidents, sales and marketing executives and top R&D executives." said Kurt Baumgartner, Principal Security Researcher of Kaspersky Lab.
From 2014, the team has improved its defensive techniques by extending - for example - the list of anti-detection technologies. The 2015 version of DarkHome downloader is designed to detect 27 solution providers' antivirus technologies with the aim of bypassing them.
More information are available on the site Securelist.com.
General information on mitigating APT attacks is available to a specialist post of Kaspersky
