Menu
Cyberespionage group targets traveling execs through hotel networks

Cyberespionage group targets traveling execs through hotel networks

The group infects the network access Web portals used by hotels and business centers to target specific guests

For the past four years a group of sophisticated hackers has compromised the networks of luxury hotels to launch malware attacks against corporate executives and entrepreneurs traveling on business in the Asia-Pacific region.

The cyberespionage group, which researchers from Kaspersky Lab dubbed Darkhotel, operates by injecting malicious code into the Web portals used by hotel guests to log in to the local network and access the Internet, typically by inputting their last name and room number.

The infections are typically brief and are meant to target only specific guests by prompting them to download trojanized updates for popular software applications. The rogue software updates deploy malware implants that then download and install digitally-signed information-stealing programs.

"This group of attackers seems to know in advance when these individuals will arrive and depart from their high-end hotels," the Kaspersky Lab researchers said in a report released Monday. The attackers lie in wait until the travelers arrive and connect to the Internet, the researchers said.

After the victims check out of the hotel, the attackers disable the malicious code injected into the hotel's network portal and hide their tracks.

"Those portals are now reviewed, cleaned and undergoing a further review and hardening process," the Kaspersky researchers said.

The Darkhotel group is interesting because it uses a combination of both highly targeted and non-targeted, botnet-style attacks. The cracking of digital certificate keys combined with the use of zero-day vulnerabilities suggests a highly sophisticated team of developers. However, its command-and-control infrastructure is full of weak server configurations and basic mistakes suggesting that a less skilled team is in charge of it.

"Considering their well-resourced, advanced exploit development efforts and large, dynamic infrastructure, we expect more Darkhotel activity in the coming years," the Kaspersky Lab researchers said in a blog post.

The largest volume of attacks via hotel networks took place between August 2010 and 2013, but incidents were also recorded in 2014 and are currently being investigated.

The group, which is also known as Tapaoux, is believed to have been operating since at least 2007 and has also used other attack techniques over the years including spear-phishing emails with attachments or links that exploited zero-day vulnerabilities in Flash Player and Internet Explorer, and the distribution of malware via poisoned downloads on peer-to-peer networks.

Most of the malicious components used by the Darkhotel attackers are signed with valid digital certificates, either duplicated certificates whose weak 512-bit RSA keys they cracked or certificates that they stole from their rightful owners.

The group's malware toolset includes a malware downloader; a keylogger; a Trojan program that gathers system information; an information stealer component that collects passwords stored in browsers and other sensitive data; and a file-infecting virus that spreads via USB drives and network shares. These tools are detected as Tapaoux, Pioneer, Karba and Nemim, among other names, the Kaspersky researchers said.

Over 90 percent of malware infections associated with the Darkhotel group were detected in Japan, Taiwan, China, Russia and Korea. However infections were also found in the U.S., the United Arab Emirates, Singapore, Kazakhstan, South Korea, the Philippines, Hong Kong, India, Indonesia, Germany, Ireland, Mexico, Belgium, Serbia, Lebanon, Pakistan, Greece, Italy and other countries.

The targets were from a wide array of industries, including electronics manufacturing, finance, pharmaceuticals, and others. They also included individuals in defense and law-enforcement.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securitymalwarespywarekaspersky labExploits / vulnerabilities

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments