Virus Type: malware, advanced persistent threat (APT)
The latest virus threat attack, called 'Darkhotel', has been analysed by Kaspersky Lab’s Global Research and Analysis Team. The Darkhotel threat appears to be a combination of spear phishing and dangerous malware designed to capture confidential data.
Cybercriminals behind Darkhotel have been operating for almost a decade, targeting thousands of victims across the globe. 90% of the Darkhotel infections we have seen are in Japan, Taiwan, China, Russia and Korea, but we have also seen infections in Germany, the USA, Indonesia, India, and Ireland
This campaign is unusual in that it employees varying degrees of malicious targeting.
At one end of the spectrum, they use spear-phishing e-mails to infiltrate defense industrial bases (DIB), governments, NGOs, large electronics and peripherals manufacturers, pharmaceutical companies, medical providers, military-related organizations and energy policy makers. The attacks follow the typical spear phishing process with thoroughly disguised Darkhotel implants. Email-lure content often includes topics like nuclear energy and weaponry capabilities. Over the past several years spear phishing emails have contained an Adobe zero-day exploit attached or links that redirect targets’ browsers to Internet Explorer zero-day exploits. Their aim is to steal data from these organisations.
At the other end of the spectrum, they spread malware indiscriminately via Japanese P2P (peer-to-peer) file-sharing sites. The malware is delivered as a part of a large RAR archive that purports to offer sexual content, but installs a backdoor Trojan that gathers confidential data from the victim.
In an approach that lies somewhere between these two, they target unsuspecting executives who are traveling overseas and are staying at a hotel. Here the victims are infected with a rare Trojan that masquerades as one of several major software releases, including Google Toolbar, Adobe Flash and Windows Messenger. This first stage infection is used by the attackers to qualify their victims and download further malware to the computers of more significant victims, designed to steal confidential data from the victim's computer.
Based on a string within the malicious code, it appears that the threat points to a Korean threat actor as source of origination.
Notwithstanding the technical sophistication of many targeted attacks, they typically start by tricking individual employees into doing something that jeopardises corporate security. Staff with public-facing roles (e.g. senior executives, sales and marketing personnel) can be particularly vulnerable, especially since they are often on the road and are likely to use untrusted networks (e.g. at hotels) to connect to a corporate network.
Although total prevention can be challenging, here are some tips on how to stay safe when travelling.