The experts of its Global Research and Analysis Group Kaspersky Lab ανέλυσαν την εκστρατεία κατασκοπείας με την ονομασία «Darkhotel", Which has been acting secretly for the last four years, capturing sensitive data from selected corporate executives traveling abroad. 
"Darkhotel" attacks targets while they are staying in luxury hotels. Campaign managers never attack the same target twice. They carry out their operations with surgical precision, gathering as much valuable data as they can from first contact, erasing their tracks and then withdrawing, awaiting the next high-profile victims. The campaign's most recent targets include top executives from the US and Asia who do business and invest in region Asia-Pacific. These include managing directors, executive vice presidents, sales and marketing managers, and top R&D executives. Kaspersky Lab warns that the threat remains active and the question is who will be the next target.
How is the attack on hotels?
The Darkhotel factor effectively penetrates the hotel networks, providing wide access even to systems that were considered private and secure. Attackers wait until the victim connects to the hotel's Wi-Fi network, entering the room number and surname when connecting. Once the victim enters the infringing network, they mislead them to "download" and install a backdoor that is presented as a legitimate software update (Google Toolbar, Adobe Flash, or Windows Messenger). The unsuspecting executives "download" the program, "infecting" their device with a backdoor, which is actually Darkhotel's spyware.
After "down" to the device, backdoor is used to "download" more advanced tools, such as an advanced keylogger with a digital signature, the Trojan "Karba" and an intelligence function. These tools collect data about the system and the anti-malware software installed on it, bypassing all the information that the victim is typing and searching for cached passwords in Firefox, Chrome and Internet Explorer, Gmail Notifier login, Twitter, Facebook, Yahoo! and Google and other personal information. Thus, victims lose sensitive information (eg, intellectual property of their companies). Upon completion of the operation, the attackers carefully remove their tools from the hotel network and go back to the "shadow".
Commenting on Darkhotel's action, Kurt Baumgartner, Principal Security Researcher of Kaspersky Lab, said: "For some years now, a powerful agent named Darkhotel has carried out a series of successful attacks against important people, using methods and techniques that go beyond the typical behavior of a digital killer. Those who unleash the threat have functional, mathematical and crypto-analytical aggressive capabilities, as well as other resources that are sufficient to abuse trustful commercial networks while targeting specific categories of victims with strategic precision. "
However, Darkhotel's malicious activity may be inconsistent. It delivers malicious software indiscriminately, while performing highly targeted attacks. More information about the delivery providers of this malicious software is available here.
"The combination of targeted and indiscriminate attacks is more and more common in the field of Advanced Persistent Threat (APT), where targeted attacks are used to harass high-profile victims, while botnet campaigns aim at mass surveillance or performing other tasks, such as DDoS attacks on enemy parties, or simply tracking interest targets with more sophisticated spy tools, "added Kurt Baumgartner.
According to researchers της Kaspersky Lab, οι επιτιθέμενοι άφησαν ένα αποτύπωμα σε μια στοιχειοσειρά του κακόβουλου κώδικά τους, το οποίο υποδεικνύει ότι ο παράγοντας «μιλάει» Κορεατικά. Τα products της Kaspersky Lab ανιχνεύουν και εξουδετερώνουν τα κακόβουλα προγράμματα και τις παραλλαγές τους που χρησιμοποιούνται από την εργαλειοθήκη του Darkhotel. Η Kaspersky Lab συνεργάζεται αυτή τη στιγμή με αρμόδιες οργανώσεις, με στόχο τον μεγαλύτερο δυνατό περιορισμό του προβλήματος.
How to avoid traps Darkhotel
During a trip, any network, even those of hotels, should be considered potentially dangerous. The Darkhotel case demonstrates an evolving form of attack. People with valuable information can easily fall victim to Darkhotel as the campaign is still active, or a similar attack. To avoid falling victim to such attacks, Kaspersky Lab advises users:
- To choose a Virtual provider Private Network (VPN) that offers an encrypted communication channel when accessing public or semi-public Wi-Fi networks
- Always be suspicious of software updates when traveling. Users should confirm that the proposed installer of an update is signed by the respective manufacturer.
- Ensure that their security solution includes preventative defense functions against new threats and not just basic antivirus protection.
More tips for protecting user privacy are available at cybersmart.kaspersky.com/privacy.
Kaspersky Lab's full exposure to the Darkhotel threat is available at Securelist.
