Darkhotel APT group relied also on Hacking Team’s exploits

Kaspersky revealed provided an update of the report on the Darkhotel APT that targets executives traveling across Asia through hotel internet networks.

In November 2014, Kaspersky Lab published a report on the activities of the Darkhotel APT group. Security experts at Kaspersky Lab uncovered the Darkhotel espionage campaign, which is ongoing for at least four years while targeting selected corporate executives traveling abroad. According to the experts threat actors behind the Darkhotel campaign aim to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.

According to the experts, the APT group, which appears to be Korean speaker, used surgical spear phishing attacks to serve malware to victims.

According to an update provided by Kaspersky Lab, the organizations targeted by the DarkHotel APT in 2015 are located in North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, India, Mozambique and Germany.

It’s interesting to note that Darkhotel’s phishing emails contained links to Flash Player exploits disclosed following the data breach suffered by the Hacking Team surveillance firm.

“…at the beginning of July, it began to distribute what is reported to be a leaked Hacking Team Flash 0day. It looks like the Darkhotel APT may have been using the leaked HackingTeam Flash 0day to target specific systems. We can pivot from “tisone360.com” to identify some of this activity. ” Kaspersky wrote in a blog post.

The DarkHotel APT has been using obfuscated HTML Application (HTA) files to serve backdoor and downloader code on infected systems since 2010, now security experts discovered new variants of the malicious HTA files.

“It’s somewhat strange to see such heavy reliance on older Windows-specific technology like HTML applications, introduced by Microsoft in 1999,” experts noted.

The hackers also improved the obfuscation techniques using more efficient evasion methods, in one case analyzed by the experts a signed downloaders was developed to detect known antivirus solutions.

The spear-phishing emails used by the Darkhotel group contain .rar archives that appear to contain a harmless .jpg file. In reality, the file is a .scr executable that appears like a JPEG using a technique known as right-to-left override (RTLO). When the file is opened, an image is displayed in the Paint application, while the malicious code is executed in the background.

Another novelty for the espionage campaign run by the Darkhotel APT group is the use of stolen digital certificates that are used to sign malware.

“The group appears to maintain a stockpile of stolen certificates and deploys their downloaders and the backdoors signed with them. Some of the more recent revoked certificates include ones that belong to Xuchang Hongguang Technology Co. Ltd. Darkhotel now tends to hide its code behind layers of encryption. It is likely that it has slowly adapted to attacking better-defended environments and prefers not to burn these stolen digital certificates,” Kaspersky said.

Stay Tuned, Kaspersky will continue to follow the DarkHotel APT.

Pierluigi Paganini

Security Affairs –  (Darkhotel, cyber espionage)