DarkHotel APT group leverages new methods to target politicians

According to Bitdefender, DarkHotel APT is back and it is targeting government employees with an interest in North Korea with a technique dubbed inexsmar.

According to the security firm Bitdefender, the DarkHotel APT is back and it is targeting government employees with an interest in North Korea with new techniques.

The hackers’ victims have been discovered in several countries, including North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, Taiwan, China, the United States, India, Mozambique, Indonesia and Germany.

The first Darkhotel espionage campaign was spotted by experts at Kaspersky Lab in late 2014, according to the researchers the APT group has been around for nearly a decade while targeting selected corporate executives traveling abroad. According to the

According to the experts, threat actors behind the Darkhotel campaign aimed to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.

The attackers appeared high skilled professionals that exfiltrated data of interest with a surgical precision and deleting any trace of their activity. The researchers noticed that the gang never go after the same target twice. The list of targets includes  CEOs, senior vice presidents, top R&D engineers, sales and marketing directors from the USA and Asia traveling for business in the APAC region.

Security researchers believe the APT group members are Korean speakers.

The attackers leveraged several methods to hack into the target systems, including zero-day exploits and used as the attack vectors peer-to-peer (P2P) file sharing websites and hotel’s Wi-Fi.

Now the Darkhotel group was using new attack methods and an exploit leaked from Italian surveillance firm Hacking Team.

The attack technique used in recent attacks was dubbed Inexsmar and it was observed in targeted attacks against political figures.

“Our threat researchers have come across a very particular DarkHotel attack known as Inexsmar, which appears to mark a significant departure from the APT group’s traditional modus operandi. This sample dates back to September 2016 and seems to be used in a campaign that targets political figures rather than the usual  corporate research and development personnel, CEOs and other senior corporate officials.” reads the analysis published by BitDefender.

“This attack uses a new payload delivery mechanism rather than the consacrated zero-day exploitation techniques, blending social engineering with a relatively complex Trojan to infect its selected pool of victims.”

Hackers spread a Trojan downloader via phishing emails, the malicious code is used to gather information on the infected device and sends it back to attackers. If the infected systems meet specific requirements a first stage downloader, disguised as a component of OpenSSL, is fetched. In this phase, the malicious code opens a document titled “Pyongyang e-mail lists – September 2016,” that contains email contacts for various organizations in Pyongyang.

The attack stops if the requirements are not satisfied, otherwise, another payload is delivered.

Unfortunately, at the time of the investigation, the C&C server was offline and researchers were not able to collect further details about the attack.

The use of a multi-stage downloader represents the major improvement compared to the use of exploits because it allows attackers to improve the distribution and the update of the malware.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  (Darkhotel, cyber espionage)

[adrotate banner=”13″]