Read Time: 3 Minutes
DarkHotel, active since at least 2007 and having infected thousands of victims around the globe, is reappearing with a vengeance. The attacks concentrate mainly on Asia, but include also the US. These new attacks use slightly altered techniques to infiltrate networks. Recently, they have started to use the Hacking Team Flash zero-day vulnerability as their primary infection method.
The attacks usually target a C-level audience with public-facing roles, who are often traveling for business and therefore also typically connect to Wi-Fi and other external networks.
DarkHotel is a targeted campaign that uses spearphishing, spyware, and malware to selectively attack business hotel visitors who use the hotel’s in-house Wi-Fi network. If you thought that the “secure” hotel Wi-Fi with its usernames and passwords is enough to keep your information safe, think again.
The methods that the attackers use are not something that you would see every day. In addition to zero-day exploits, they use unfamiliar advanced technologies, including kernel-mode key loggers and reverse engineering that makes malicious files appear legitimate software.
The cyber attacks start as a peer-to-peer campaign, which aims to infect as many targets as possible. The interesting targets are then handpicked for the second phase where the attackers place a backdoor on the system to extract documents and data. When victims try to connect to the hotel Wi-Fi, a pop-up tells them to update the Adobe Flash player and offers a file that looks authentic. If the victim downloads the file, it installs a Trojan instead of updating the software. The pop-up actually appears before the victim attempts to access the Wi-Fi, making it possible for the Trojan to work even if the victim does not enter the Wi-Fi network after all.
Jarno Niemelä, security advisor at F-Secure Labs explains:
The unique feature of DarkHotel is that the attack happens before the computer is connected to the corporate network or the Internet. This means that the protection layers coming from the company network or from security vendors’ cloud servers offer no protection against this malevolent attack.
Even more sinister, the file lies dormant in the system for as long as half a year, escaping the IT security staff’s notice. When DarkHotel finally activates, the attacker is free to do whatever they want in the corporate network.
Being aware of spear phishing techniques and blocking selected content from unknown or suspicious sites are basic steps in fighting attacks such as DarkHotel.
Jarno also has some good news related to content blocking:
The latest security software can offer advanced protection to allow IT staff to block content. When set up correctly, advanced protection stops, for example, .exe files, Java etc. on the computer, even when it is not under the protection of the corporate network. This way, those responsible for the company security can make sure that end-users are not accidentally jeopardizing the company network.