For the past four years a group of sophisticated hackers has compromised the networks of luxury hotels to launch malware attacks against corporate executives and entrepreneurs traveling on business in the Asia-Pacific region.
The cyberespionage group, which researchers from Kaspersky Lab dubbed Darkhotel, operates by injecting malicious code into the Web portals used by hotel guests to log in to the local network and access the Internet, typically by inputting their last name and room number.
The infections are typically brief and are meant to target only specific guests by prompting them to download trojanized updates for popular software applications. The rogue software updates deploy malware implants that then download and install digitally-signed information-stealing programs.
“This group of attackers seems to know in advance when these individuals will arrive and depart from their high-end hotels,” the Kaspersky Lab researchers said in a report released Monday. The attackers lie in wait until the travelers arrive and connect to the Internet, the researchers said.
After the victims check out of the hotel, the attackers disable the malicious code injected into the hotel’s network portal and hide their tracks.
“Those portals are now reviewed, cleaned and undergoing a further review and hardening process,” the Kaspersky researchers said.
The Darkhotel group is interesting because it uses a combination of both highly targeted and non-targeted, botnet-style attacks. The cracking of digital certificate keys combined with the use of zero-day vulnerabilities suggests a highly sophisticated team of developers. However, its command-and-control infrastructure is full of weak server configurations and basic mistakes suggesting that a less skilled team is in charge of it.
“Considering their well-resourced, advanced exploit development efforts and large, dynamic infrastructure, we expect more Darkhotel activity in the coming years,” the Kaspersky Lab researchers said in a blog post.
The largest volume of attacks via hotel networks took place between August 2010 and 2013, but incidents were also recorded in 2014 and are currently being investigated.
The group, which is also known as Tapaoux, is believed to have been operating since at least 2007 and has also used other attack techniques over the years including spear-phishing emails with attachments or links that exploited zero-day vulnerabilities in Flash Player and Internet Explorer, and the distribution of malware via poisoned downloads on peer-to-peer networks.
Most of the malicious components used by the Darkhotel attackers are signed with valid digital certificates, either duplicated certificates whose weak 512-bit RSA keys they cracked or certificates that they stole from their rightful owners.
The group’s malware toolset includes a malware downloader; a keylogger; a Trojan program that gathers system information; an information stealer component that collects passwords stored in browsers and other sensitive data; and a file-infecting virus that spreads via USB drives and network shares. These tools are detected as Tapaoux, Pioneer, Karba and Nemim, among other names, the Kaspersky researchers said.
Over 90 percent of malware infections associated with the Darkhotel group were detected in Japan, Taiwan, China, Russia and Korea. However infections were also found in the U.S., the United Arab Emirates, Singapore, Kazakhstan, South Korea, the Philippines, Hong Kong, India, Indonesia, Germany, Ireland, Mexico, Belgium, Serbia, Lebanon, Pakistan, Greece, Italy and other countries.
The targets were from a wide array of industries, including electronics manufacturing, finance, pharmaceuticals, and others. They also included individuals in defense and law-enforcement.