Kaspersky Lab's Global Research and Analysis team analyzed the espionage campaign called "Darkhotel", Which has been acting secretly for the last four years, capturing sensitive data from selected corporate executives traveling abroad.
The "Darkhotel" attacks the targets during their stay in luxury hotels. Campaign managers never attack the same target twice. They perform their operations with surgical precision, collecting as much valuable data as they can from the first contact, erasing their traces and then withdrawing, waiting for the next high-ranking victims. The most recent goals of the campaign include top executives from the US and Asia who are professionally active and investing in the Asia-Pacific region. These include CEOs, executive vice presidents, sales and marketing executives, and top R&D executives. Kaspersky Lab warns that the threat remains active and the question is what the next target will be.
How is the attack on hotels?
The Darkhotel factor effectively penetrates the hotel networks, providing wide access even to systems that were considered private and secure. Attackers wait until the victim connects to the hotel's Wi-Fi network, entering the room number and surname when connecting. Once the victim enters the infringing network, they mislead them to "download" and install a backdoor that is presented as a legitimate software update (Google Toolbar, Adobe Flash, or Windows Messenger). The unsuspecting executives "download" the program, "infecting" their device with a backdoor, which is actually Darkhotel's spyware.
After "down" to the device, backdoor is used to "download" more advanced tools, such as an advanced keylogger with a digital signature, the Trojan "Karba" and an intelligence function. These tools collect data about the system and the anti-malware software installed on it, bypassing all the information that the victim is typing and searching for cached passwords in Firefox, Chrome and Internet Explorer, Gmail Notifier login, Twitter, Facebook, Yahoo! and Google and other personal information. Thus, victims lose sensitive information (eg, intellectual property of their companies). Upon completion of the operation, the attackers carefully remove their tools from the hotel network and go back to the "shadow".
Commenting on Darkhotel's action, Kurt Baumgartner, Principal Security Researcher of Kaspersky Lab, said: "For some years now, a powerful agent named Darkhotel has carried out a series of successful attacks against important people, using methods and techniques that go beyond the typical behavior of a digital killer. Those who unleash the threat have functional, mathematical and crypto-analytical aggressive capabilities, as well as other resources that are sufficient to abuse trustful commercial networks while targeting specific categories of victims with strategic precision. "
However, Darkhotel's malicious activity may be inconsistent. It delivers malicious software indiscriminately, while performing highly targeted attacks. More information about the delivery providers of this malicious software is available here.
"The combination of targeted and indiscriminate attacks is more and more common in the field of Advanced Persistent Threat (APT), where targeted attacks are used to harass high-profile victims, while botnet campaigns aim at mass surveillance or performing other tasks, such as DDoS attacks on enemy parties, or simply tracking interest targets with more sophisticated spy tools, "added Kurt Baumgartner.
According to Kaspersky Lab researchers, the attackers left a footprint on a string of their malicious code, which indicates that the agent "speaks" Korean. Kaspersky Lab products detect and neutralize malware and their variants that are used by Darkhotel's toolbox. Kaspersky Lab is currently working with competent organizations to reduce the problem as much as possible.
How to avoid traps Darkhotel
During a trip, any network, even those of hotels, should be considered potentially dangerous. The Darkhotel case demonstrates an evolving form of attack. People with valuable information can easily fall victim to Darkhotel as the campaign is still active, or a similar attack. To avoid falling victim to such attacks, Kaspersky Lab advises users:
- Choose a Virtual Private Network (VPN) provider that offers an encrypted communication channel when accessing public or semi-public Wi-Fi networks
- Always be suspicious of software updates when traveling. Users should confirm that the proposed installer of an update is signed by the respective manufacturer.
- Ensure that their security solution includes preventative defense functions against new threats and not just basic antivirus protection.
More tips for protecting user privacy are available at cybersmart.kaspersky.com/privacy.
Kaspersky Lab's full exposure to the Darkhotel threat is available at Securelist.