Darkhotel APT Malware Targeting Business Executives Using Hotel Wi-Fi

Kaspersky Lab unearthed a Darkhotel APT malware which targets top business executives visiting luxury hotels in Asia. Although the malware has been around since 2009, the latest strain shows great sophistication in targeting victims with great precision.

For years, hackers have spearheaded a cyber-espionage campaign using the Darkhotel APT malware residing in hotels and business’ Wi-Fi networks, and targeting high profile business executives as indicated by a recent report by Russian Security firm, Kaspersky.

Darkhotel is not a typical malware authored to continue the China-US-Russia cyber-espionage blame game. Instead, the malware is targeted on specific individuals  especially CEO’s and other high ranking business executives who only feel the urge to tweet, check emails or update their Facebook status every time there is free Wi-Fi pop-up on their devices.

According to Kaspersky’s report, business executives from Japan, Taiwan, China, Russia and South Korea suffered the blunt of Darkhotel Advanced Persistent Threat (APT) with over 90% recorded infections. Darkhotel is more of a ‘corporate malware’ mostly targeted on business executives vising Luxury hotels in Asia.

Interestingly, the malware only infects the machine of a specific individual and not all visitors using the hotel’s Wi-Fi.   This implies the hackers must have advanced knowledge of the target whereabouts including which hotels or business centers they will check in, says Kaspersky.

Once the victim logs into a hotel’s Wi-Fi network, the malware gives a bogus pop-up seeking to update a certain software such as Adobe flash, Google Toolbar and Windows messenger. If authorized to update, the malware install a malicious data stealing code on the PC.

The Malware targets information such as Username and Passwords saved on the browsers. Some experts believe the Darkhotel attackers are a wider cartel of government backed hackers who are eavesdropping on business executives from specific countries to steal trade secrets. “Maybe what we have here is the same framework (state-backing) being used by two different groups – one with a focus on other nation states, the other focusing on business interests,” said Kaspersky’s Costin Raiu.

Kaspersky says the malware has been around since 2009 infecting tens of thousands of unsuspecting victims. Darkhotel exploits Zero-day vulnerabilities in software such as Adobe flash to launch an attack and circumvent defense mechanisms in victim’s PC. “This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses,” reported Kaspersky adding that Darkhotel also spread via peer-2-peer networks such as Bit Torrent.

Notably, the malware shows a high level of sophistication among the Darkhotel hackers. For instance, attacker stole and reused legitimate digital certificate to sign in their codes. In one case, they reused a legitimate digital certificate from Certificate Authority (CA), something very few hacks would pull.  “This type of targeted attack is uncommon. The steps taken to infect the machines and factors that have to be in place for it to work make it a very specialist type of infection,” said Mark James, security specialist at anti-virus firm ESET.

Other security experts have also acknowledged the high sophistication exhibited by the Darkhotel malware especially in targeting victims with great precision “We are seeing a very sophisticated attack on the target networks by this cell, who have put a great deal of thought into what information they want, who they are targeting and how to write malware that provides the best chance of getting what they’re after,” noted Richard Cassidy senior solutions architect at Alert Logic.

Kaspersky advises users to use a Virtual Private Network (VPN) when connecting to public networks in addition to other defense techniques.

Top/Featured Image: By PublicDomainPictures / Pixabay (https://pixabay.com/en/black-carved-celebration-creepy-2909/)

Lawrence Mwangi Lawrence is a technology and business reporter. He has freelanced for a number of tech sites and magazines. He is a web-enthusiast, with a special interest in Online security, Entrepreneurship and Innovation. When not writing about tech he can be found in a Tennis court or on a chess board.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.