Darkhotel APT group phases out hotel Wi-Fi infections, brings in Hacking Team zero-day

The Darkhotel APT group swapped out its previous Flash zero-days this past month for an exposed Hacking Team zero-day.

Hackers
Hackers

Already well-known Advanced Persistent Threat (APT) group Darkhotel is slightly altering its techniques and recently integrated a Hacking Team Flash zero-day vulnerability into its primary infection method.

While most of the group's targets are based in Asia, including Japan, both North and South Korea and Thailand, U.S. groups have been included on Darkhotel's signature spear phishing emails, a Kaspersky Lab blog post stated. Although the group maintains much of its attack methodology, it also, until at least July 22, created a website to exploit itsHacking Team zero-day.

Whether the group quickly sifted through the Italian technology firm's information immediately following its breach or was a customer remains unclear, said Kurt Baumgartner, principal security researcher at Kaspersky, during a Monday interview. The site, tisone360[dot]com, was initially used in conjunction with phishing emails to deliver original Flash zero-days, but starting around July 8, the group began exploiting the Hacking Team vulnerability.

Most interestingly to Baumgartner, however, is how the group has responded to an influx of researcher traffic.

In one instance, a researcher, likely running a “noisy scanning research attempt,” visited the site nearly 12,000 times in 30 minutes. After that point, the group reevaluated its publicly available information.

“They reviewed their site and typed up configuration, so they could hide away what they had on the site,” Baumgartner said. “[It shows they're] reactionary to the researcher community.”

The group, for example, now has one of its Command and Control (C&C) servers respond with images from a cartoon while others  try to blend in with “random sites on the web when incorrect or missing pages are visited.”

Kaspersky documented possible researchers from Germany, Ukraine and Ireland visiting the site. The security firm won't speculate on the operator behind Darkhotel, but Baumgartner noted that targets are often the biggest giveaway.

Beyond anything else, spear-phishing appears to be the group's greatest asset and effective infection technique.

“Spearphishing awareness is more and more necessary with these sorts of persistent actors,” Baumgartner said.

First published in our sister publication SC Magazine.