Rick Richardson's Views On Technology
  • Home
  • Blog

Hackers Are Using Hotel Wi-Fi  to Spy and Steal Data

8/13/2017

0 Comments

 
Picture
An advanced hacking and cyberespionage campaign against high-value targets has returned.

The so-called 'DarkHotel' group has been active for over a decade, with a signature brand of cybercrime that targets business travelers with malware attacks, using the Wi-Fi in luxury hotels across the globe.

Hotel Wi-Fi hotspots are compromised in order to help deliver the payload to the selected pool of victims. The exact methods of compromise remain uncertain, but cybersecurity experts believe it involves attackers remotely exploiting vulnerabilities in server software or infiltrating the hotel and gaining physical access to the machines.

Those behind the campaign have continually evolved their tactics and malware payloads, blending phishing and social engineering with a complex Trojan, in order to conduct espionage on corporate research and development personnel, CEOs, and other high-ranking corporate officials.

But now the actors behind DarkHotel have changed tactics again, using a new form of malware known as Inexsmar to attack political targets. Researchers at Bitdefender – who've analyzed the malware strain – have linked the Inexsmar campaign to DarkHotel because of similarities with payloads delivered by previous campaigns.

In common with other espionage campaigns, the Inexsmar attack begins with high-level phishing emails individually designed to be interesting and convincing to the target. "The social engineering part of the attack involves a very carefully crafted phishing email targeted to one person at a time," Bogdan Botezatu, senior e-threat analyst at Bitdefender, told ZDNet.

Researchers remain uncertain about who is being targeted by the campaign – and the malware sample doesn't provide clues about this – but the nature of the phishing emails point towards government and political targets.

Within the email is a self-extracting archive package, winword.exe, which when executed begins the Trojan downloader process.

In order to avoid the victim getting suspicious, the downloader opens a decoy Word document called 'Pyongyang Directory Group email SEPTEMBER 2016 RC_Office_Coordination_Associate.docx'.

It shows a list of supposed contacts in the North Korean capital, with references to organizations including FAO, UNDP, UN, UNICEF, and WFP. It even contains warnings about spammers and ensuring privacy – with the victim reading this just as their privacy is being compromised by hackers.

In order to prevent detection, the malware is downloaded in stages – another element of the campaign which links it to DarkHotel. The first stage of the downloader even hides malicious codes and strings inside an otherwise legitimate OpenSSL binary by statically linking the malicious code to the otherwise unrelated library code.

Following this, the malware runs a mshta.exe operation – a legitimate Microsoft HTML Application host needed to execute .HTA files – to download the second part of the payload and compromise the target with the Trojan malware.

Researchers suggest the multi-stage Trojan download is an evolutionary step to keep the malware competitive as victims' defenses improve.

"This approach serves their purpose much better as it both assures the malware stays up to date via system persistence – not achievable directly using an exploit, and giving the attacker more flexibility in malware distribution," says the paper by malware researchers Cristina Vatamanu, Alexandru Rusu, and Alexandru Maximciuc.

DarkHotel is a highly sophisticated hacking operation, stockpiling digital certificates to aid in the distribution of malware and deploy backdoors with code hidden under many layers of protection.

The group is careful to cover their tracks but the nature of the attacks and the way DarkHotel picks victims potentially indicates involvement of a nation state actor.
​
"Attribution is usually difficult with this type of attack, but its complexity and the cherry-picked victims show that it is likely a state-backed threat with serious skills and resources," said Botezatu.

0 Comments



Leave a Reply.

    Author

    Rick Richardson, CPA, CITP, CGMA

    Rick is the editor of the weekly newsletter, Technology This Week. You can subscribe to it by visiting the website.

    Rick is also the Managing Partner of Richardson Media & Technologies, LLC. Prior to forming his current company, he had a 28-year career in technology with Ernst & Young, the last twelve years of which he served as National Director of Technology.

    Mr. Richardson has been named to the "Technology 100"- the annual honors list of the 100 key achievers in technology in America. He has also been honored by the American Institute of CPAs with two Lifetime Achievement awards and a Special Career Recognition Award for his contributions to the profession in the field of technology.

    In 2012, Rick was inducted into the Accounting Hall of Fame by CPA Practice Advisor Magazine. He has also been named to the 100 most influential individuals in the accounting profession in America by Accounting Today magazine.

    In 2017, Rick was inducted as a Marquis Who’s Who Lifetime Achiever, a registry of professionals who have excelled in their fields for many years and achieved greatness in their industry.

    He is a sought after speaker around the world, providing his annual forecast of future technology trends to thousands of business executives, professionals, community leaders, educators and students.

    Picture
    Picture
    Picture
    Picture
    Picture

    Archives

    October 2022
    September 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015

    Categories

    All
    Artificial Intelligence
    Audit
    Back Up
    Back-Up
    Blockchain
    Climate
    Cloud
    Collaboration
    Communication
    Coronavirus
    COVID 19
    COVID-19
    Digital Assistant
    Display
    Drone
    Edge Computing
    Education
    Enterprise
    Hardware
    Home Automation
    Internet Of Things
    Law
    Medicine
    Metaverse
    Mobile
    Mobile Payments
    Open Source
    Personalization
    Power
    Privacy
    Quantum Computing
    Remote Work
    Retail
    Robotics
    Security
    Software
    Taxes
    Transportation
    Wearables
    Wi Fi
    Wi-Fi

    RSS Feed

    View my profile on LinkedIn
Powered by Create your own unique website with customizable templates.