Why should we believe this? They admit that they have been unable to find any "dark hotel" infrastructure. What is the basis for their claim that the attacks take place in hotels?
Check out the whitepaper they published along with the article. It goes into more detail about the attacks. It appears they have a record of the traffic from the hotels' networks, probably from an IDS or something similar. Some relevant quotes from the whitepaper:
"The Darkhotel APT’s precise malware spread was observed in several hotels’ networks, where visitors connecting to the hotel’s Wi-Fi were prompted to install software updates to popular software packages." - page 5
"As a part of an ongoing investigation, our research led us to embedded iframes within hotel networks that redirected individuals’ web browsers to phony installers. The attackers were very careful with the placement of these iframes and executables on trusted resources - the hotels’ network login portals themselves." - page 6
"We observed traces of a couple of these incidents in late 2013 and early 2014 on a victim hotel’s network. The attackers set up the environment and hit their individual targets with precision. As soon as their target’s stay was over and the attack-frame was closed, the attackers deleted their iframe placement and backdoored executables from the hotel network." - page 6
For those that are interested in a more technical analysis of the malware, infection vectors, and C&C infrastructure check out the whitepaper linked at the top. It goes into significantly more detail than the main article.
Below is a link to the PDF directly (I know the URL looks shady):
If you manage security infrastructure for your organization and want details on C&C URLs, compromised certs used for signing, and relevant file hashes check out the technical apendix they published, also linked at the top of the article (and below):
- If the Information Stealer detects that the current system default codepage is 0412 (Korean) it terminates.
- Also regarding the Information Stealer: "If the server reply contains a keyword «minmei» it continues sending additional information. «Minmei» may be a reference to a popular Japanese anime and manga known as «The Super Dimension Fortress Macross»."
- The Enhanced Keylogger's debug info path was left compiled into the binary: "d:\KerKey\KerKey(일반)\KerKey\release\KerKey.pdb" (note 일반 means "General" in Korean).
I'm unsure whether this is intentional misdirection or simply due to bad OPSEC, but this kind of stuff sticks out because it indicates a fairly large-scale and international APT campaign may be coming out of somewhere in Asia besides China.
12 comments
[ 3.0 ms ] story [ 39.2 ms ] threadAlso what a novel idea, just wait on the porous hotel network for your execs to come in. I wonder what country's work this is.
Did you play the video?
I never watch the videos on news sites. Too disruptive for my work environment.
"The Darkhotel APT’s precise malware spread was observed in several hotels’ networks, where visitors connecting to the hotel’s Wi-Fi were prompted to install software updates to popular software packages." - page 5
"As a part of an ongoing investigation, our research led us to embedded iframes within hotel networks that redirected individuals’ web browsers to phony installers. The attackers were very careful with the placement of these iframes and executables on trusted resources - the hotels’ network login portals themselves." - page 6
"We observed traces of a couple of these incidents in late 2013 and early 2014 on a victim hotel’s network. The attackers set up the environment and hit their individual targets with precision. As soon as their target’s stay was over and the attack-frame was closed, the attackers deleted their iframe placement and backdoored executables from the hotel network." - page 6
Below is a link to the PDF directly (I know the URL looks shady):
http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/f...
If you manage security infrastructure for your organization and want details on C&C URLs, compromised certs used for signing, and relevant file hashes check out the technical apendix they published, also linked at the top of the article (and below):
http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/f...
- If the Information Stealer detects that the current system default codepage is 0412 (Korean) it terminates.
- Also regarding the Information Stealer: "If the server reply contains a keyword «minmei» it continues sending additional information. «Minmei» may be a reference to a popular Japanese anime and manga known as «The Super Dimension Fortress Macross»."
- The Enhanced Keylogger's debug info path was left compiled into the binary: "d:\KerKey\KerKey(일반)\KerKey\release\KerKey.pdb" (note 일반 means "General" in Korean).
I'm unsure whether this is intentional misdirection or simply due to bad OPSEC, but this kind of stuff sticks out because it indicates a fairly large-scale and international APT campaign may be coming out of somewhere in Asia besides China.