DARKHOTEL
According to Kaspersky Lab, the Dark Hotel group may have been stealing confidential documents out of the secured computers of travelling executives since 2007. Researchers believe that the group is Korean in origin (in part) because variants of the malware were designed to shut down and remove itself from the host system if the infected system code page was set to Korean. Further, the kernel mode keylogger used in Dark Hotel group attacks has Korean characters in its code and may be tied to a South Korean programmer. Since the group still targets North Koreans, one could suppose the Dark Hotel group originates in South Korea. The Dark Hotel group attack campaigns use a sophisticated keylogger and extensive infrastructure to steal confidential information directly relevant to South Korea from employees of other nations. Consequently, there is a strong likelihood that Dark Hotel group is a partially or fully state sponsored threat actor. Dark Hotel group associated names are Tapaoux, Nemim, Pioneer, Karba.
The Dark Hotel group targets high-profile executives, sales and marketing employees, R&D staff, and government employees from North Korea, Japan, India, and the United States. Notably, targets tend to be from the Asian nations with nuclear capabilities and the Unites States. Dark Hotel group often targets guests staying at luxury hotels in Asia. A smaller number of hotels in the United States have also been infected. Overall, fewer than two dozen hotel network compromises have been discovered, but it is possible that many breaches remain undiscovered or unreported. Hotels appear to be targeted based on the expectation that specific individuals will be staying there in the near future. Evidence suggests that the adversary possesses knowledge of the personal information of targets, at which hotel individual targets will stay, and the duration of their stay. The attacks may target specific individuals or all individuals who try to connect within a specific period. It is possible that the hotel attacks target those unlikely to fall for a spear phishing campaign. Specific targets may be located based on their Wi-Fi connection in the network, which is often secured with a password created from their surname and room number. Either the actor targets the hotel network directly or on occasion, it compromises the third party that manages the Wi-Fi for multiple hotels. The malware is distributed across the network either before the staff arrives to work or after they leave. When the target concludes their stay, the adversary removes all or most traces of the attack from the hotel network. Neither backdoors nor tools are left behind.
Upon connection to the hotel Wi-Fi, target users encounter a malicious iframe that redirects their browsers to fake update installers. Victims see a pop-up for a software update (Adobe Flash, Google Toolbar, Windows Messenger, etc.) that is actually a malicious executable piggybacking off a legitimate update installer. The installer delivers one of the group’s backdoors to the victim system. Supposedly, the malicious download proceeds even if the user becomes suspicious and attempts to terminate their Wi-Fi connection. In 2015, the group may have begun to infect mobile devices through the same process. The malware remains dormant for an estimated six months before data collection and exfiltration begins. This precaution evades corporate IT efforts to scan a travelling executive’s computer upon their return to the home network.
In addition to the hotel attacks, the group infects victims through spear-phishing attacks and P2P networks. The spear phishing attacks are used to target a specific victim at a specific hotel while the P2P campaigns infect as many hosts as possible with botnet malware. The spear phishing campaigns typically target the defense sector, NGOs, and government entities. The lure emails are titled with topics related to nuclear energy or weapon capabilities. If the target ignores the spear phishing email, the group waits (up to a month) and then tries to spear phish the target again. The emails contain links that redirect the victims to landing pages that deliver zero-day exploits. Sometimes an attachment containing an Adobe zero-day exploit is included instead. Recently, some of the emails have also relied on (former) zero-day exploits that were revealed in the Hacking Team breach or have delivered malicious code disguised as .hta files. In the P2P campaigns, the adversary compromises a swath of users through infected torrented material. One example of how the adversary deploys malware along the P2P attack vector was caught by Kaspersky Lab in 2013 – 2014. In this case, the malicious actor seeded.
Japanese explicit comic book sites with the Karba trojan so that the malware would be widely and wildly distributed when torrent users downloaded the pornographic material as RAR archives on torrent clients. The archive in question was downloaded over 30,000 times over a six-month period. Even if the attack was only marginally successful and the malware only installed on a fraction of victim systems, the attacker still gained a sizable botnet. Considering that the adversary could run numerous similar attacks simultaneously, it is safe to speculate that the actor can leverage an enormous botnet in attacks. If the infected host system contains interesting information, then the actor uses the botnet to install a backdoor and more sophisticated tool kit on the system so that they can exfiltrate documents and data.
The malware appears as legitimate software verified by legitimate certificates. The adversary did not steal certificates. Instead, the actors generated 22 certificates by exploiting a certificate authority, DigiCert Sdn. Bhd., that belonged to the Malaysian government and Deutsche Telekom, which was using weak 512-bit signing keys. To generate legitimate certificates, the actor just factored weak 512-bit RSA digital signature keys. Some recent malware and backdoors attributed to the group have featured SHA1 and RSA 2048-bit certificates, which may have been stolen or generated from a different source.
The group’s toolkit predominately relies on a sophisticated 300 kb kernel mode keystroke logger, which operates at the system core instead of at the application layer. As a result, it bypasses most security and detection systems. The driver of the keylogger installs as the system kernel driver “Ndiskpro” service, a self-described Microcode Update Device. The keylogger retrieves data directly from the motherboard controller at port 0x60. A moniker in the source code of the keylogger attributes it to “Chpie,” a South Korean coder. The data is transferred to the user mode component, where it is encrypted (similar to RC4) and written to a randomly named temporary (.tmp) file that is located in the same directory as the initial dropper, which maintains persistence across reboots by amending the HKCU run key. The toolkit also contains an information stealer, the Karba trojan, research environment detection mechanisms, and selective infectors, droppers, and self-injectors. The information stealer collects passwords and user credentials stored in browsers for email clients and social media accounts. The Karba trojan collects system data and information about installed anti-virus software. The primary dropper (recognized as Virus.Win32.Pioneer.dx) drops the selective infector (igfxext.ece) to disk and runs it. The selective infector, true to its nature as a virus, infiltrates and infects other computers through the network or through shared USB connections. It also collects information and sends it back to the C2 infrastructure. At least nine different backdoors have been used in conjunction with the toolkit.
No server level back doors were discovered on the hotel networks. Server logs show that the attacker compromised the servers (through a currently unidentified attack vector), infected the target hosts, deleted traces of their presence, and then abandoned the system without leaving a backdoor or other malicious code behind. Since some attacks occurred over years, it is likely that either the attacker deleted their backdoor when they abandoned the server or that they had an insider in the target company. Prior to discovery in October 2014, the C2C infrastructure consisted of over 200 servers containing malware, botnet logs, and stolen data. After the campaigns were revealed to the public in late 2014, much of the C2C infrastructure was shut down; however, the group remains active as of 2016 on new infrastructure.