‘Darkhotel’ virus suite targets government and high-ranking hotel guests in Asia
Mon 10 Nov 2014
For the last seven years a sophisticated suite of highly targeted tools and self-maintaining virus and keylogger systems has been aimed at prestigious clients via the Wi-Fi and Ethernet connections of hotel networks across Asia.
Internet security company Kaspersky Labs published its report yesterday on The Darkhotel APT, a systematic security attack suite which is semi-automated but only targets specific hotel guests such as government operatives, Defence Industrial Base representatives, tech entrepreneurs and corporate executives. The attack begins when the guest starts to use hotel-provided internet access, and the discretion with which Darkhotel chooses its targets either indicates external incursion into the hotel’s IT infrastructure; when researching the issue, Kaspersky were unable to attract an attack from the suite in hotels where it was known to strike.
The FBI first reported on the ‘threat actor’ in May 2012, by which time Darkhotel APT had been in active and unreported operation for five years.
The initial attack vector takes place after a guest connects to Wi-Fi, logs in to the hotel network and – depending on whether or not the guest is a ‘target’ – is urged to update a number of popular software items, including Adobe Flash Player, and certain browser plugins.
The investigators discovered that targets would be redirected to Darkhotel installers via hidden iFrames on pages that any guest would consider trustworthy, such as the home page of the hotel on the internal guests’ network. Once the target had checked out, the attack network would automatically delete itself from the hotel’s IT set-up, with a level of efficiency that means several of the identified attacks can only be guessed based on forensic analysis of affected computers.
The attacks are particularly sinister because they incorporate both the generic strategy of a watering-hole’ style attack, insofar as they patiently await their victim, but also the specificity of a spear-phishing approach, where the target guest has been thoroughly researched and groomed for the incursion.
Darkhotel is a curious mix of the specific and the indiscriminate, using its torrented Karba Trojan to deliver the controlling payload to the hotel infrastructure.
The suite’s delivery windows are opportunistic, and its creators have previously exploited zero-day exploits in Adobe products and in Microsoft Internet Explorer. The creators have also used a wide range of genuine but compromised 512-bit security keys to sign its installers and therefore penetrate anti-virus and other protective systems. Additionally there is evidence that the controlling group have stolen certificates to aid distribution. The majority of the compromised security certificates are from GT Cybertrust, though there are others from Equifax, Verisign and Microsoft, including a stronger md5/RSA (1024 bits) certificate.
The suite, which is downloaded piecemeal after initial infection, will eventually install a low-level keylogger called Ndiskpro, which runs as a service and operates at kernel mode, logging keystrokes on port 0x60 on the motherboard’s own keyboard controller. The captured keystrokes are then bundled, compressed and stored to a randomly-named temp file. The infection retains survivability by modifying the HKCU key in the Windows register.
Initial distribution of the Darkhotel package is also reported to have occurred via infected Word documents as well as 0-day swf (Flash) files.
Kaspersky break down the suite into five primary stages – the small downloader (27kb), the information stealer (455kb), the Trojans (Trojan.Win32.Karba.e, 220kb, and the Trojan Dropper, 63kb, which consists of legitimate files which have been infected) and the Selective Infector virus, which controls further distribution and infection to any vulnerable and available network drives, and also sends information on its host to the Darkhotel servers.
The vast majority of attacks recorded by the researchers take place in Japan and diminish in frequency heading west.
What is not addressed in the report – not unreasonably – is any indication of the motives of the Darkhotel creators and operators, who are clearly not casual cybercriminals interested in the short-term gains of financial cybercrime, but rather are seeking confidential government and business information.
In the wake of the investigation many of the infected hotel portals have been cleaned of Darkhotel APT, according to Kaspersky, who also acknowledge that the suite is still in the wild.