The evolution of DarkHotel: From Wi-Fi to complex social engineering
The evolution of DarkHotel: From Wi-Fi to complex social engineering

DarkHotel, a cyber-criminal group and a variant of malware by the same name — traditionally deployed Advanced Persistent Threats (APTs) through unsecured WiFi in hotels to target senior business decision makers. Of late though, the group has changed its tactics, and has been actively infecting political figures through spear phishing techniques, and via peer-to-peer networks. A significant departure from the group's traditional modus operandi

Dubbed Inexsmar, this particular strain of malware, discovered by Bitdefender security researchers, takes aim at senior political party members and officials across the world. The new DarkHotel campaign blends social engineering with a relatively complex Trojan to infect its selected pool of victims.

While this particular sample of Inexmar dates back to September 2016, Bitdefender's malware zoo reveals that almost indistinguishable samples of the malware have actually been around since 2011. Its analysis reveals a high degree of similarity between the samples detected, and the First Stage Downloader for the DarkHotel Advanced Persistent Threat — allowing it to link Inexsmar to DarkHotel with a high degree of confidence.

Political officials in the crosshairs

While previous attacks from DarkHotel were quite similar in nature, Inexsmar distinguishes itself from these via a new payload delivery mechanism, via spear phishing, rather than more traditional zero-day exploitation techniques.

Also Inexsmar does not seem to focus on financial gain, but instead on garnering information from political targets, a shift from when DarkHotel used to traditionally attack high level business workers such as CEOs and research and development executives. At present, Bitdefender researchers are still following up with precise analysis as to the group of victims. As with many attacks of this nature, attribution is often difficult, but Inexmar's complexity and cherry-picked victims show that it is likely a state-backed threat whose perpetrators have significant skill and resources.

Complex social engineering

Bitdefender came across the first new incidence of Inexsmar while analysing files that its automated systems had marked as uncommon. What seemed like a regular, unaffiliated piece of malware, actually turned out to be a highly sophisticated attack. What is interesting is that the social engineering element of Inexsmar utilises very carefully crafted spear phishing emails, using legitimate names and email addresses to try and trick the recipient. Due to the specific, and often high-profile political targeting — this attack can be defined as a prime example of ‘whaling'. 

Inexsmar includes an advanced multi-stage downloader as an attachment, and also a decoy file that is opened when the infection starts in order to minimise suspicion. That means the attachment actually displays a valid document, often a Microsoft Word file, so as not to cause any alarm bells for the victim. However, behind the scenes a complex Trojan is installed to open a backdoor into the affected device and start silently siphoning off sensitive information.

Keep an eye on the Wi-Fi

The current campaign is a major departure from DarkHotel's traditional approach, in which the attacker would either have to share the same Wi-Fi connection as their victim, or breach the hotel infrastructure by remotely exploiting vulnerabilities in server software. Inexsmar does away with those hurdles and is often a lot more successful as a result — primarily down to the extensive thought and attention that is put into each whaling email to try and trick the end-user.

It goes without saying that highly-sophisticated malware such as Inexsmar should keep everyone on their toes, and highlights the need to be astute when opening email attachments — even from supposedly trusted parties. Whaling campaigns such as these are unfortunately becoming more commonplace, and are seen as an evolutionary step change for cyber-criminals who are trying to keep one step ahead of their victim's defences.

It therefore imperative that a user of any device in which they access an email client should have an appropriate antivirus solution installed — ideally one which uses machine learning technologies, so they are kept safe from evolving threats such as Inexsmar. Vigilance is key when it comes to attacks which employ social engineering, so always try to be on your guard — especially when you get an unexpected email out of the blue. 

Contributed by Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender


*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.