The Global Research & Analysis Team at Kaspersky Lab published a blog post that shows how the Darkhotel advanced...
persistent threat (APT) group deployed a new variant of malicious HTML application (.hta) files as part of its ongoing attacks, which target users on hotel networks.
Kaspersky first identified the Darkhotel group in late 2014, though it has been active for years. Recently, Kaspersky found the APT attacking organizations located in North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, India, Mozambique and Germany. Although its attack techniques remain the same, Darkhotel has been using one of the Flash zero-day vulnerabilities found in the Hacking Team data breach and malicious .hta files to deploy backdoor and downloader code onto target systems.
"[Darkhotel] emailed links to its malicious .hta files to North Korean tourist groups, economists with an interest in North Korea and more," Kaspersky wrote. "It's somewhat strange to see such heavy reliance on older, Windows-specific technology like HTML applications, introduced by Microsoft in 1999."
Dr. Chase Cunninghamthreat intelligence lead at FireHost
Kaspersky said the group has been improving its obfuscation techniques and antidetection technology, as well.
"Darkhotel now tends to hide its code behind layers of encryption," Kaspersky wrote. "It is likely that it has slowly adapted to attacking better-defended environments and prefers not to burn these stolen digital certificates. In previous attacks, it would simply have taken advantage of a long list of weakly implemented, broken certificates."
Dr. Chase Cunningham, threat intelligence lead at FireHost Inc., based in Richardson, Texas, said the use of the new Flash zero-day vulnerability is proof that once the cat is out of the bag, you can't put it back in -- and Darkhotel's targeting scheme is an excellent strategy.
"This group has been working basically to target hotels and places where senior executives stay at during travel. And if you think about [it], that it is the perfect place to use Hacking Team exploits combined with open Wi-Fi systems," Cunningham said. "You can almost guarantee access to an executive's machine, as they traverse those infected travel systems."
Steve McGregory, director of application and threat intelligence at Ixia, based in Calabasas, Calif., said there are a few options to mitigate the risks from Darkhotel attacks while traveling.
"Security-conscious people at Black Hat turn off Wi-Fi, Bluetooth or only utilize secure Wi-Fi along with VPN," McGregory said. "I only utilize my carrier service, tethering the laptop to my phone using USB to get network access. And [I] follow this practice any time I'm traveling, because Darkhotel APT and others find hotel networks to be easy means of accessing high-value targets."
Learn more about a warning issued by Europol about public Wi-Fi security.