"Darkhotel" attacks again

Following the hack of the Italian company Hacking Team, a supplier of spy software for governments and law enforcement agencies, which became public in early July 2015, some cyber espionage groups are now using the captured tools for their malicious attacks.

Figure: Kaspersky
Figure: Kaspersky

The exploits target vulnerabilities in Adobe Flash Player and Windows. At least one of these exploits is being used by the powerful Darkhotel group, which is again using it to increasingly attack executives, mostly in hotels.

This is not the first time "Darkhotel" has used zero-day vulnerabilities. Kaspersky Lab believes that the cyber espionage group has deployed a good half-dozen zero-day exploits in recent years, primarily targeting Adobe Flash Player. To procure them, "Darkhotel" has apparently invested considerable sums of money. With the current wave of attacks in 2015, the group expanded its reach around the world, carrying out targeted spearphishing attacks on victims from Germany as well as North and South Korea, Russia, Japan, Bangladesh, Thailand, India, and Mozambique.

Involuntary help

The Darkhotel group, which specializes in APT (advanced persistent threats) attacks, has been active for almost eight years. Their methods include the use of social engineering techniques, stolen security certificates and compromising WLAN networks in hotels. What is new now is the use of zero-day exploits from Hacking Team's inventory. Here is an overview of the methods:

  • The group continues to use stolen certificates from its stock. They are used for the downloaders and backdoor Trojans to deceive the attacked system. The recently used certificates are from Xuchang Hongguang Technology Co. Ltd.
  • Relentless spearphishing: Darkhotel's APT attacks occur repeatedly at the same target several months apart, using the same social engineering schemes.
  • Use of a zero-day exploit: the compromised website "tisone360.com" contains the a whole arsenal of backdoor Trojans and exploits, including Hacking Team's zero-day exploit.

"Darkhotel is back with another exploit for Adobe Flash Player, and this time the exploit appears to be related to the Hacking Team leak," said Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab.

An analysis of the recent "Darkhotel" attacks is here available.

(Visited 94 times, 1 visits today)
h2> More articles on the topic

SECURITY NEWS

Bleiben Sie informiert über aktuelle Sicherheitsthemen – praxisnah und zuverlässig. Erhalten Sie exklusive Inhalte direkt in Ihren Posteingang. Verpassen Sie keine Updates.

Jetzt anmelden!
anmelden
You can unsubscribe at any time!
close-link