APT groups tend to be grouped together in a large amorphous blob of sinister intentions and similar targets, but not all APT crews are created equal. Researchers have identified a group that’s been operating in Asia for at least seven years and has been using hotel networks as key infection points to target top executives at companies in manufacturing, defense, investment capital, private equity, automotive and other industries.
The group, which researchers at Kaspersky Lab are calling Darkhotel, has access to zero day vulnerabilities and exploits and has shown a willingness to use them in situations where the zero days might be discovered. One of the zero days the group has used is a Flash vulnerability that was disclosed in February.
“This crew occasionally deploys 0-day exploits, but burns them when required. in the past few years, they deployed 0-day spear-phishing attacks targeting Adobe products and Microsoft internet Explorer, including cve-2010-0188. in early 2014, our researchers exposed their use of cve-2014-0497, a Flash 0-day described on Securelist in early February,” the Darkhotel report says.
“The crew spear-phished a set of target systems connected to the internet through Chinese iSps, and developed capabilities within the 0-day exploits to handle hardened Windows 8.1 systems. it’s interesting that the flash objects were embedded in Korean documents titled “list of the latest Japanese AV wind and how to use torrents.docx” (loose English translation).”
The Darkhotel group has been operating mainly in Asian countries, but there have been infections recorded in the United States, South Korea, Singapore, Germany, Ireland and many others, as well. The key infection method for this group is the compromise of WiFi networks in business hotels. When users connect to the network, they are presented with a dialog box prompting them to install a fake update, typically something that looks legitimate, such as Adobe Flash. If a victim agrees to install the fake update, he instead receives a digitally signed piece of malware, courtesy of the attackers. The malware has keylogging and other capabilities and steals information, which is then sent back to the attackers.
“When unsuspecting guests, including situationally aware corporate executives and high-tech entrepreneurs, travel to a variety of hotels and connect to the internet, they are infected with a rare APT Trojan posing as any one of several major software releases. These might be GoogleToolbar, Adobe flash, Windows Messenger, etc. This first stage of malware helps the attackers to identify more significant victims, leading to the selective download of more advanced stealing tools,” the report says.
“At the hotels, these installs are selectively distributed to targeted individuals. This group of attackers seems to know in advance when these individuals will arrive and depart from their high-end hotels. So, the attackers lay in wait until these travelers arrive and connect to the internet.”
The Darkhotel group’s extensive infrastructure includes access to some of the hotels’ systems that maintain the registration information for guests. This allows the attackers to target specific incoming guests at compromised hotels. Not every guest connecting to the WiFi network is given the fake update installer that leads to the malware installation. Instead, the attackers pick and choose which guests they want to go after, aiming for high-value targets.
In addition, the Darkhotel attackers are using a variety of digital certificates to sign their malware. Attackers often employ stolen certificates in this way, but the Darkhotel group seems to have taken a different tack, duplicating legitimate certificates that have weak keys.
“All related cases of signed Darkhotel malware share the same Root Certificate Authority and intermediate Certificate Authority that issued certificates with weak md5 keys (RSA 512 bits). We are confident that our Darkhotel threat actor fraudulently duplicated these certificates to sign its malware. These keys were not stolen,” the report says.
In 2011, Microsoft revoked trust in a number of certificates with 512-bit keys issued by DigiCert Sdn. Bdh, a Malaysian certificate authority, warning that the weak keys could allow an attacker to break the keys and duplicate the certificates. That appears to be what the Darkhotel attackers did, replicating these certificates for use in their malware campaigns.
“They abuse weakly implemented digital certificates to sign their malcode. The actor abused the trust of at least ten CAs in this manner. Currently they are stealing and re-using other legitimate certificates to sign their mostly static backdoor and infostealer toolset. Their infrastructure grows and shrinks over time, with no consistent pattern to the setup. It is both protected with flexible data encryption and poorly defended with weak functionality,” the Kaspersky Lab GReAT team wrote in an explanation of the attack.
Image from Flickr photos of Calitexican.