THE BLOG

The Inhospitable Darkhotel

13/11/2014 12:07 GMT | Updated 12/01/2015 10:59 GMT

You may have read recently about Darkhotel - a cyber-espionage campaign that has been active over the last few years. You can find a full report on this malware here, but I'd like to outline the main features of this campaign and provide some advice on how to keep yourself safe from attacks of this kind.

What is Darkhotel?

The cybercriminals behind Darkhotel have been operating for almost a decade, targeting thousands of victims across the globe. 90 per cent of the infections we have seen are in Japan, Taiwan, China, Russia and Hong Kong, but we have also seen infections in Germany, the USA, Indonesia, India, and Ireland.

How does it work?

This campaign is unusual in that it employs varying degrees of targeting.

At one end of the spectrum, the attackers use spear-phishing e-mails to infiltrate organisations from different sectors: these include Defense Industrial Base (DIB), Government and Non-Governmental Organisations (NGOs). The attackers make use of zero-day exploits to install the malware. Sometimes they send e-mails containing links that redirect victims to Internet Explorer exploits; at other times they include an attachment deploying a zero-day exploit.

At the other end of the spectrum, they spread malware indiscriminately via Japanese P2P (peer-to-peer) file-sharing sites. The malware is delivered as a part of a large RAR archive that purports to offer sexual content, but installs a backdoor Trojan that allows attackers to perform a mass surveillance campaign. This Darkhotel package was downloaded over 30,000 times in less than six months.

The attackers also specifically target business executives who are traveling overseas and are staying at hotels in a number of countries. The victims are infected with a rare Trojan that masquerades as one of several major software releases, including Google Toolbar, Adobe Flash and Windows Messenger. The attackers use embedded iframes, located within the login portals of the hotels, to redirect the web browsers of their victims to these fake installers. This first stage infection is used by the attackers to qualify their victims and then download further malware to the computers of more significant victims, designed to steal confidential data from the victim's computer. At present, it's unclear how the attackers select their victims.

Key features of the campaign

•Targeted attacks focused on C-level victims: CEOs, Senior Vice Presidents, Sales and Marketing Directors and top R&D staff.

•The gang use both targeted attacks and botnet-style operations. They compromise hotel networks, then stage attacks from those networks on selected high profile victims. At the same time, they use botnet style operations for massive surveillance or to perform other tasks, such as DDoS (distributed Denial of Service) attacks or to install more sophisticated espionage tools on the computers of particularly interesting victims.

•Use of zero-day exploits targeting Internet Explorer and Adobe products.

•Use of an advanced, low-level keylogger to steal confidential data.

•Malicious code signed using stolen digital certificates.

•A persistent campaign - Darkhotel has been operating for almost a decade.

How do I reduce my exposure to such attacks?

Here are some tips on how to stay safe when travelling:

•Update all third party software before you go on your trip.

•Use a strong anti-malware product, best practices.

•Use a separate 'travel' computer or, alternatively, use a dedicated virtual computer while you're travelling.

•Use a VPN while traveling.

•Use two-factor authentication for e-mail and other confidential services.

•Use strong, unique passwords for each resource you access.

•Use separate e-mail, Skype and IM accounts while travelling.