Kaspersky Lab's Global Research and Analysis team analyzed the espionage campaign called "Darkhotel", Which has been acting secretly for the last four years, capturing sensitive data from selected corporate executives traveling abroad. 
The "Darkhotel" attacks the targets during their stay in luxury hotels. Campaign managers never attack the same target twice. They perform their operations with surgical precision, collecting as much valuable data as they can from the first contact, erasing their traces and then withdrawing, waiting for the next high-ranking victims. The most recent goals of the campaign include top executives from the US and Asia who are professionally active and investing in the Asia-Pacific region. These include CEOs, executive vice presidents, sales and marketing executives, and top R&D executives. Kaspersky Lab warns that the threat remains active and the question is what the next target will be.
How is the attack on hotels?
The Darkhotel agent effectively infiltrates hotel networks, providing widespread access to even systems that were thought to be private and secure. Attackers wait until the victim connects to the hotel's Wi-Fi network, entering their room number and last name when connecting. Once the victim enters the compromised network, they are tricked into "downloading" and installing a backdoor posing as an updated version of legitimate software (Google Toolbar, Adobe Flash or Windows Messenger). Unsuspecting executives download the program, infecting their device with a backdoor, which is actually Darkhotel's spyware.
Αφού «κατέβει» στη συσκευή, το backdoor χρησιμοποιείται για να «κατεβάσει» πιο προηγμένα εργαλεία, όπως ένα προηγμένο keylogger με ψηφιακή υπογραφή, το Trojan «Karba» και μια λειτουργία υποκλοπής πληροφοριών. Τα εργαλεία αυτά συλλέγουν δεδομένα για το σύστημα και το anti-malware λογισμικό που είναι εγκατεστημένο σε αυτό, υποκλέπτουν όλα τα στοιχεία που πληκτρολογεί το θύμα και αναζητούν τους προσωρινά αποθηκευμένους κωδικούς πρόσβασης σε Firefox, Chrome και Internet Explorer, τα στοιχεία σύνδεσης σε Gmail Notifier, Twitter, Facebook, Yahoo! και Google και άλλες προσωπικές πληροφορίες. Έτσι, τα θύματα χάνουν ευαίσθητες πληροφορίες (π.χ. πνευματική ιδιοκτησία των εταιρειών τους). Με την ολοκλήρωση της επιχείρησης, οι επιτιθέμενοι διαγράφουν προσεκτικά τα εργαλεία τους από το δίκτυο του ξενοδοχείου και περνούν ξανά στη «σκιά».
Commenting on Darkhotel's action, Kurt Baumgartner, Principal Security Researcher of Kaspersky Lab, said: "For some years now, a powerful agent named Darkhotel has carried out a series of successful attacks against important people, using methods and techniques that go beyond the typical behavior of a digital killer. Those who unleash the threat have functional, mathematical and crypto-analytical aggressive capabilities, as well as other resources that are sufficient to abuse trustful commercial networks while targeting specific categories of victims with strategic precision. "
However, Darkhotel's malicious activity may be inconsistent. It delivers malicious software indiscriminately, while performing highly targeted attacks. More information about the delivery providers of this malicious software is available here.
“The combination of targeted and indiscriminate attacks is appearing more and more often in the threat landscape Advanced Persistent Threat (APT), όπου οι στοχευμένες επιθέσεις χρησιμοποιούνται για να θέσουν σε κίνδυνο υψηλού προφίλ θύματα, ενώ οι εκστρατείες τύπου botnet σκοπεύουν στη διenergy mass surveillance or to perform other tasks, such as DDoS attacks on hostile sites, or simply to track interesting targets with more sophisticated spying tools,” Kurt Baumgartner added.
According to Kaspersky Lab researchers, the attackers left a footprint on a string of their malicious code, which indicates that the agent "speaks" Korean. Kaspersky Lab products detect and neutralize malware and their variants that are used by Darkhotel's toolbox. Kaspersky Lab is currently working with competent organizations to reduce the problem as much as possible.
How to avoid traps Darkhotel
During a trip, any network, even those of hotels, should be considered potentially dangerous. The Darkhotel case demonstrates an evolving form of attack. People with valuable information can easily fall victim to Darkhotel as the campaign is still active, or a similar attack. To avoid falling victim to such attacks, Kaspersky Lab advises users:
- Choose a Virtual Private Network (VPN) provider that offers an encrypted communication channel when accessing public or semi-public Wi-Fi networks
- Always treat them as suspects updates software when traveling. Users should confirm that the proposed installer of an update is signed by the respective manufacturer.
- Ensure that their security solution includes preventative defense functions against new threats and not just basic antivirus protection.
More tips for protecting user privacy are available at cybersmart.kaspersky.com/privacy.
Kaspersky Lab's full exposure to the Darkhotel threat is available at Securelist.
