The DarkHotel APT criminals are back, with a novel approach that appears to mark a significant step forward for the group.
DarkHotel is famous for infiltrating Wi-Fi networks in luxury hotels to compromise select corporate executives (especially corporate research and development personnel, CEOs and other senior officials). Here, the group is using the Inexsmar malware as part of a multi-pronged infection gambit, according to Bitdefender. The attack chain involves whaling and high-level spear phishing techniques, along with other complex attack avenues (such as digital certificate factoring).
What’s significant is that given that the DarkHotel group typically leverages zero-day exploits and usually compromises hotel Wi-Fi hotspots to deliver their exploits, the current campaign is a major departure from its modus operandi. Also, traditionally, DarkHotel operators have been known to pick targets that have access to information of significant commercial value, such as prototypes, intellectual property or software source code, Bitdefender noted. The latest effort however appears to have other motivations.
“Whilst similar malware attacks have been perpetrated by DarkHotel operators since around 2011, Inexsmar, in particular, seems focused on political targets rather than financial gains,” the firm said, in a whitepaper shared with Infosecurity. “And, unlike any other known DarkHotel campaigns, it uses a new payload delivery mechanism, rather than the consecrated zero-day exploitation techniques. The campaign blends social engineering with a relatively complex trojan to infect its selected pool of victims.”
As the stakes of such operations are extremely high, the group seems to be tailoring and improving their attack vectors as time goes on. Zero-day exploits, the use of stolen or factored digital certificates as well as layered encryption for samples are just of the few milestones the DarkHotel group have reached in almost a decade of operation, Bitdefender said.
“We presume that this method of pairing social engineering with a multi-stage Trojan downloader is also an evolutionary step to keep their malware competitive as their victims’ defenses improve,” the firm said. “This approach serves their purpose much better as it both assures the malware stays up-to-date via system persistence—not achievable directly using an exploit, and giving the attacker more flexibility in malware distribution (the domains don’t have to be up all the time—not achievable directly using an exploit).”