The powerful cyber-espionage actor Darkhotel is the latest APT group to make use of the zero-days and exploit tools leaked in the Hacking Team breach.
Darkhotel is famous for infiltrating Wi-Fi networks in luxury hotels to compromise select corporate executives. Kaspersky Lab researchers have now found that the group has been using a zero-day vulnerability from Hacking Team’s collection since the beginning of July 2015. Not known to have been a client of Hacking Team, the Darkhotel group appears to have grabbed the files once they became publicly available after the notorious leak of Hacking Team files on July 5, 2015.
In addition, Kaspersky Lab researchers have registered new techniques and activities from Darkhotel, including new variants of malicious executable files, ongoing use of stolen certificates and relentless social-engineering spoofing.
This is also not the group’s only zero-day; Kaspersky Lab estimates that during the past few years Darkhotel may have gone through half a dozen or more zero-days targeting Adobe Flash Player, apparently investing significant money in supplementing its arsenal. In 2015, the Darkhotel group extended its geographical reach around the world while continuing to spear-phish targets in North and South Korea, Russia, Japan, Bangladesh, Thailand, India, Mozambique and Germany.
“Darkhotel has returned with yet another Adobe Flash Player exploit hosted on a compromised website, and this time it appears to have been driven by the Hacking Team leak,” said Kurt Baumgartner, principal security researcher at Kaspersky Lab, in a blog post. “The group has previously delivered a different Flash exploit on the same website, which we reported as a zero-day to Adobe in January 2014. Darkhotel seems to have burned through a pile of Flash zero-day and half-day exploits over the past few years, and it may have stockpiled more to perform precise attacks on high-level individuals globally. From previous attacks we know that Darkhotel spies on CEOs, senior vice presidents, sales and marketing directors and top R&D staff.”
Meanwhile, in attacks dated 2014 and earlier, the group misused stolen code-signing certificates and employed unusual methods like compromising hotel Wi-Fi to place spying tools on targets’ systems. In 2015, many of these techniques and activities have been maintained, but Kaspersky Lab has also uncovered new variants of malicious executable files and new techniques.
Those include maintaining a stockpile of stolen certificates. The group deploys their downloaders and the backdoors signed with these certificates to cheat the targeted system. And, it has expanded its anti-detection technology list. The 2015 version of the Darkhotel downloader is designed to identify anti-virus technologies from 27 vendors, with the intention of bypassing them.