"Darkhotel" attacks again

The exploits target vulnerabilities in Adobe Flash Player and Windows. At least one of these exploits is being used by the powerful Darkhotel group, which is again using it to increasingly attack executives, mostly in hotels.

This is not the first time "Darkhotel" has used zero-day vulnerabilities. Kaspersky Lab believes that the cyber espionage group has deployed a good half-dozen zero-day exploits in recent years, primarily targeting Adobe Flash Player. To procure them, "Darkhotel" has apparently invested considerable sums of money. With the current wave of attacks in 2015, the group expanded its reach around the world, carrying out targeted spearphishing attacks on victims from Germany as well as North and South Korea, Russia, Japan, Bangladesh, Thailand, India, and Mozambique.

Involuntary help

The Darkhotel group, which specializes in APT (advanced persistent threats) attacks, has been active for almost eight years. Their methods include the use of social engineering techniques, stolen security certificates and compromising WLAN networks in hotels. What is new now is the use of zero-day exploits from Hacking Team's inventory. Here is an overview of the methods:

• The group continues to use stolen certificates from its stock. They are used for the downloaders and backdoor Trojans to deceive the attacked system. The recently used certificates are from Xuchang Hongguang Technology Co. Ltd.
• Relentless spearphishing: Darkhotel's APT attacks occur repeatedly at the same target several months apart, using the same social engineering schemes.
• Use of a zero-day exploit: the compromised website "tisone360.com" contains the a whole arsenal of backdoor Trojans and exploits, including Hacking Team's zero-day exploit.

"Darkhotel is back with another exploit for Adobe Flash Player, and this time the exploit appears to be related to the Hacking Team leak," said Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab.

An analysis of the recent "Darkhotel" attacks is here available.