Darkhotel
Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.[1][2][3]
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.[4] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Darkhotel has used AES-256 and 3DES for C2 communications.[6] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Darkhotel has decrypted strings and imports using RC4 during execution.[2][6] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Darkhotel has been known to establish persistence by adding programs to the Run Registry key.[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.[2] |
| Enterprise | T1203 | 客户端执行漏洞利用 |
Darkhotel has exploited Adobe Flash vulnerability CVE-2015-8651 for execution.[4] |
|
| Enterprise | T1083 | 文件和目录发现 |
Darkhotel has used malware that searched for files with specific patterns.[6] |
|
| Enterprise | T1080 | 污染共享内容 |
Darkhotel used a virus that propagates by infecting executables stored on shared drives.[1] |
|
| Enterprise | T1189 | 浏览器攻击 |
Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware.[1] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Darkhotel has obfuscated code using RC4, XOR, and RSA.[2][6] |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Darkhotel has sent spearphishing emails in an attempt to lure users into clicking on a malicious attachments.[2][6] |
| Enterprise | T1082 | 系统信息发现 |
Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.[2][6] |
|
| Enterprise | T1124 | 系统时间发现 |
Darkhotel malware can obtain system time from a compromised host.[8] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Darkhotel has collected the IP address and network adapter information from the victim’s machine.[2][6] |
|
| Enterprise | T1497 | 虚拟化/沙盒规避 |
Darkhotel malware has employed just-in-time decryption of strings to evade sandbox detection.[8] |
|
| .001 | System Checks |
Darkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with |
||
| .002 | User Activity Based Checks |
Darkhotel has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.[8] |
||
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.[2][4] |
| Enterprise | T1105 | 输入工具传输 |
Darkhotel has used first-stage payloads that download additional malware from C2 servers.[4] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging | |
| Enterprise | T1057 | 进程发现 |
Darkhotel malware can collect a list of running processes on a system.[2] |
|
| Enterprise | T1091 | 通过可移动媒体复制 |
Darkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers.[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Darkhotel has sent spearphishing emails with malicious RAR and .LNK attachments.[2][6] |
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.[1][2] |
References
- Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
- Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
- Microsoft . (2020, September 29). Microsoft Digital Defense Report FY20. Retrieved April 21, 2021.
- Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.
- Microsoft. (2016, June 20). Reverse-engineering DUBNIUM’s Flash-targeting exploit. Retrieved March 31, 2021.
- Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021.