Business Execs Targeted By ‘DarkHotel’ Malware While Traveling In Asia
Business Executives need to take some precautions when travelling in Asia. According to a report from Kaspersky Labs, an espionage campaign has been active for at least four years that targets business executives at luxury hotels with the use of “Darkhotel” malware.
“For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior,” said Kaspersky Lab principal security researcher Kurt Baumgartner. “This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”
The Darkhotel actor waits until a victim connects to a hotel’s WiFi network, which requires that the victim provide their room number and surname to login. From there, the attacker will see the victim in the compromised network and then attempt to trick them into downloading and installing a backdoor, which is usually disguised as an update for legitimate software or even a hotel “welcome package.” The targeted executive will then download the software that will then infect his device with a backdoor.
Once in, the backdoor can be used to download more advanced stealing tools to collect data about the system and any malware software installed on it, steal all keystrokes, locate cached passwords and login credentials in various browsers and social media apps, and other private information. The attacks then lead to the gathering of sensitive information from the businesses that the victims work for.
However, the Darkhotel attacks are also inconsistent according to Baumgartner who added, “The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT scene, where targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools.”
Kaspersky Lab has offered several tips to help avoid falling victim to the Darkhotel attacks:
The group behind the Darkhotel attacks are, according to the security firm, still active. Given the fact that some hotel chains are just starting to switch to a digital check-in process, one has to ask if this will make such attacks even easier to implement?
“For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior,” said Kaspersky Lab principal security researcher Kurt Baumgartner. “This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”
The Darkhotel actor waits until a victim connects to a hotel’s WiFi network, which requires that the victim provide their room number and surname to login. From there, the attacker will see the victim in the compromised network and then attempt to trick them into downloading and installing a backdoor, which is usually disguised as an update for legitimate software or even a hotel “welcome package.” The targeted executive will then download the software that will then infect his device with a backdoor.
Once in, the backdoor can be used to download more advanced stealing tools to collect data about the system and any malware software installed on it, steal all keystrokes, locate cached passwords and login credentials in various browsers and social media apps, and other private information. The attacks then lead to the gathering of sensitive information from the businesses that the victims work for.
However, the Darkhotel attacks are also inconsistent according to Baumgartner who added, “The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT scene, where targeted attacks are used to compromise high profile victims, and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing hostile parties or simply upgrading interesting victims to more sophisticated espionage tools.”
Kaspersky Lab has offered several tips to help avoid falling victim to the Darkhotel attacks:
- Choose a Virtual Private Network (VPN) provider – you will get an encrypted communication channel when accessing public or semi-public Wi-Fi;
- When traveling, always regard software updates as suspicious. Confirm that the proposed update installer is signed by the appropriate vendor.
- Make sure your Internet security solution includes proactive defense against new threats rather than just basic antivirus protection
