The fallout from the HackingTeam data dump shows no signs of abating. Since the controversial surveillance software maker was hacked and 400 Gb of its data posted online in early July, a handful of zero-day vulnerabilities and exploits were publicly leaked and continue to find their way into the hands of criminal and state-sponsored hacking groups.
The latest revelation is that the Darkhotel APT gang, known for targeting diplomats and corporate executives via Wi-Fi networks at luxury hotels, is using a Hacking Team exploit for an Adobe Flash zero day against specific targets.
Researchers at Kaspersky Lab today said on Securelist that the Hacking Team zero-day is just the latest Flash exploit in Darkhotel’s possession; Adobe has patched all of the vulnerabilities exploited by the Hacking Team zero-days. Darkhotel, since it was outed in November, has also grown its list of victims in a number of new countries. It also continues to make effective use of stolen certificates to sign its downloaders and backdoors, Kaspersky researchers said.
“Darkhotel seems to have burned through a pile of Flash zero-day and half-day exploits over the past few years, and it may have stockpiled more to perform precise attacks on high-level individuals globally,” Kaspersky Lab principal security researcher Kurt Baumgartner said.
The Hacking Team exploit was discovered on a Darkhotel domain, tisone360[.]com, which also hosted a set of backdoors and other exploits. Darkhotel was using spearphishing emails to redirect them to the site, which began distributing the Hacking Team exploit in early July, short after the data dump. Kaspersky Lab said it does not believe Darkhotel was a Hacking Team customer. In addition to the Hacking Team exploit, the site was also delivering in April a Flash exploit reported to Adobe in January 2014 that was used last year by Darkhotel.
The site was active as of July 22 and pushing the Hacking Team zero day via a malicious .swf Flash file and an image file. The Flash exploit downloads the image (icon.jpg) which downloads other malicious executables. Kaspersky Lab researchers said the malware timestamps are changed to dates in 2013 to confuse researchers.
Darkhotel uses .hta file to write executables to victims’ machines in order to initiate communication with the command and control infrastructure. This is an old technique for Darkhotel, dating back to 2010 when it was used against targets in North Korea, Kaspersky Lab said.
In addition to web-based exploits or hacks against Wi-Fi networks, Darkhotel’s favorite initial attack vector remains spearphishing. Kaspersky Lab said it relentlessly phishes with emails containing malicious .rar files. The .rar archives contain RTLO (right-to-left-override) .scr executables, which are decoy jpeg files that are instead dropper files that create a lnk downloader.
“When the target attempts to open what they think is a jpg image file, the executable code runs and drops a jpg image to disk, then opens it with mspaint.exe in the background. This ‘congratulations’ document is in Korean, revealing a likely characteristic of the intended target,” Kaspersky Lab said. “While the image is displayed, the code drops an unusual mspaint.lnk shortcut to disk and launches it. The shortcut maintains a multiline target shell script.”
If the file is executed, it downloads another executable that injects malicious code and opens remote threads into running processes, Kaspersky researchers said.
The use of stolen certificates, meanwhile, is another preferred technique used by Darkhotel to keep detection tools at bay; the most recent revoked certificate Kaspersky Lab said, belonged to Xuchang Hongguang Technology Co. Ltd.
“Darkhotel now tends to hide its code behind layers of encryption. It is likely that it has slowly adapted to attacking better-defended environments and prefers not to burn these stolen digital certificates,” Baumgartner said. “In previous attacks it would simply have taken advantage of a long list of weakly implemented, broken certificates.”
Kaspersky Lab has published a list of indicators of compromised on the Securelist blog, including hashes for all the malicious components, command and control domains, and victim locations.