SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
11 Nov 2014

DarkHotel: a spy campaign in luxury Asian hotels

Cyberespionage is the weapon of choice in the 21st century. Even a seemingly harmless mobile app is able to find out quite a few secrets that a careless user might reveal, let alone full-scale surveillance campaigns specifically targeted at representatives of major businesses and government organizations.

This autumn’s newest revelation is the discovery of a spy network, dubbed ‘Darkhotel’, which had been active for seven years in a number of Asian hotels. Furthermore, smart and professional spies involved in this long-running operation created a comprehensive toolkit consisting of various methods that can be used to break into victims’ computers.

The FBI first mentioned the attacks on guests that were staying in the hotels in question in 2012. However, the malware used over the course of Darkhotel’s activity (a.k.a. Tapaoux) have been popping up here and there as early as 2007.

Having studied the logs of C&C servers used to manage the campaign, security researchers discovered connections dating back to January 1, 2009. With all of the above in mind, the campaign appears to have been active for quite a while.

The main method of infiltration into the victim’s PC was through Wi-Fi networks in a number of luxury Asian hotels. Cybercriminals used zero-day exploits in Adobe Flash and other popular products by renowned vendors. Such vulnerabilities are not easy to find, which proves the fact that either rich sponsors, who can afford to purchase quite an expensive cyber weapon, were behind the operation, or the high level of professionalism of the agents that were involved in the campaign. Likely both.

The aforementioned method of dropping spyware was the most frequently used, yet not the only, way for the criminals to handle the operation, which suggests that they were employed by hotels. The alternative involves a Trojan, distributed through torrent clients, as part of a compromised archive of adult-rated comics in Chinese. Also the cyberspies used targeted phishing, sending compromised emails to employees of state and non-profit organizations.

Many facts, besides the use of zero-day vulnerabilities, prove the high level of awareness of the cybercriminals. They went as far as to succeed in forging digital security certificates they used for their malware. To spy on communication channels used by their victims, criminals used a sophisticated keylogger. The spyware employed an integrated module to snatch passwords saved in popular browsers.

Strangely, the culprits were extremely cautious and designed a number of measures to prevent the detection of the malware. Firstly, they ensured the virus had a very long ‘incubation period’: the first time the Trojan connected to the C&C servers was 180 days after it had infiltrated the systems. Secondly, the spyware program had a self-destruction protocol if the language of the system changed to Korean.

The criminals were mainly operating in Japan, as well as in neighboring Taiwan and China. However, it was managed to detect attacks in other countries, including those very far from the territories, which were an interest for the culprits.

Commenting on Darkhotel researcher said: “For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior. This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”

Tags:
Wi-Fi fraud surveillance Asia DarkHotel
Source:
Kaspersky Daily
Author:
Alex Drozhzhin
2279
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015