A new wave of suspected activity conducted by the DarkHotel advanced persistent threat (APT) group has been disclosed by researchers.
Last week, Trellix researchers Thibault Seret and John Fokker said that a malicious campaign has been targeting luxury hotels in Macao, China since November 2021, and based on clues in the attack vector and malware used, the team suspects DarkHotel is the culprit.
DarkHotel is a South Korean APT that uses tailored spear phishing attacks. The APT has been active in the hospitality, government, automotive, and pharmaceutical industries since at least 2007 and tends to focus on surveillance and data theft, with business and industry leaders marked as targets.
If you’re looking to compromise high-value targets such as CEOs and other executives, it makes sense to target high-end locations they are likely to book in with. According to Trellix, major hotel chains in Macao, China — including the Grand Coloane Resort and Wynn Palace — are now among the APT’s victims.
DarkHotel’s campaign began with a spear phishing email sent to appear to be from the “Macao Government Tourism Office” to management staff in the luxury hotels, including front office and HR employees, who were likely to have access to guest booking systems.
The emails contained an Excel sheet lure requesting the completion of a form for a guest inquiry, and if macros are enabled by the victim in order to read the document, the macros trigger the download and execution of malware payloads.
Once the researchers peeled back layers of obfuscation, they revealed a malware function designed to create a scheduled task for persistence and the launch of VBS and PowerShell scripts to establish a connection to a hard-coded command-and-control (C2) server disguised as a service owned by the Federated States of Micronesia.
The attack chain has a number of similarities, including the IP address and C2 infrastructure in use, as a campaign documented by Zscaler in 2021.
Normally, you would expect the APT to then execute further payloads for credential harvesting and data theft. However, in this campaign, activity suddenly stopped in January.
“We suspect the group was trying to lay the foundation for a future campaign involving these specific hotels,” Trellix said. “After researching the event agenda for the targeted hotels, we did indeed find multiple conferences that would have been of interest to the threat actor. […] But even threat actors will get unlucky. Due to the rapid rise of COVID-19 in Macao and in China in general, most of [the] events were canceled or postponed.”
Trellix has attributed the attacks to DarkHotel with a “moderate” level of confidence, based on IP addresses already linked to the APT and “known development patterns” clues hidden in the malware’s C2 server.
However, the team acknowledges that this may not be enough for full attribution, especially when some threat groups are known to plant false flags to lead the cybersecurity community to believe their work is that of another, thereby staying under the radar.
“Regardless of the exact threat actor attribution, this campaign demonstrates that the hospitality sector is indeed a valid target for espionage operations,” the researchers say. “Executives should be aware that the (cyber) security of their respective organizations doesn’t stop at the edge of their network.”
Back in 2020, Qihoo 360 attributed an ongoing wave of cyberattacks launched against Chinese government agencies and their employees to the APT.
The cybersecurity researchers said that a zero-day vulnerability was used to compromise at least 200 Sangfor SSL virtual private network (VPN) servers, many of which were used by government entities in Beijing and Shanghai, as well as departments involved in Chinese diplomacy.
While the COVID-19 pandemic has severely disrupted the travel industry and the rising cost of both living and transport may keep tourists away for longer, threat actors will continue to try and obtain valuable information from hotels and their guests.
When you’re on the road, it is advisable to keep basic security standards up, and while you can’t prevent security incidents such as the compromise of point-of-sale (PoS) systems, using mobile networks rather than public Wi-Fi hotspots is recommended, as well as the use of virtual private networks (VPN) and fully updated software.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0