
The Darkhotel APT - wglb
http://securelist.com/blog/research/66779/the-darkhotel-apt/
======
amckenna
For those that are interested in a more technical analysis of the malware,
infection vectors, and C&C infrastructure check out the whitepaper linked at
the top. It goes into significantly more detail than the main article.

Below is a link to the PDF directly (I know the URL looks shady):

[http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-
cdn.com/f...](http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-
cdn.com/files/2014/11/darkhotel_kl_07.11.pdf)

If you manage security infrastructure for your organization and want details
on C&C URLs, compromised certs used for signing, and relevant file hashes
check out the technical apendix they published, also linked at the top of the
article (and below):

[http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-
cdn.com/f...](http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-
cdn.com/files/2014/11/darkhotelappendixindicators_kl.pdf)

------
tkmcc
Interesting bits from the Technical Appendix:

\- If the Information Stealer detects that the current system default codepage
is 0412 (Korean) it terminates.

\- Also regarding the Information Stealer: "If the server reply contains a
keyword «minmei» it continues sending additional information. «Minmei» may be
a reference to a popular Japanese anime and manga known as «The Super
Dimension Fortress Macross»."

\- The Enhanced Keylogger's debug info path was left compiled into the binary:
"d:\KerKey\KerKey(일반)\KerKey\release\KerKey.pdb" (note ­일반 means "General" in
Korean).

I'm unsure whether this is intentional misdirection or simply due to bad
OPSEC, but this kind of stuff sticks out because it indicates a fairly large-
scale and international APT campaign may be coming out of somewhere in Asia
besides China.

------
dmix
As much as hyperbole security marketing is becoming over-used these days, I
actually enjoyed the animation in the video. Very cyberpunk.

~~~
pavel_lishin
Convenient wallpaper:
[http://i.imgur.com/7ad0Bs1.jpg](http://i.imgur.com/7ad0Bs1.jpg)

------
walterbell
Use software like Qubes, Bromium to sign on the malware-infested hotel
network, then activate VPN.

------
internet_arguer
Good writeup. Kaspersky performs good malware campaign analysis without
sensationalism.

Also what a novel idea, just wait on the porous hotel network for your execs
to come in. I wonder what country's work this is.

~~~
pavel_lishin
> Kaspersky performs good malware campaign analysis without sensationalism.

Did you play the video?

~~~
internet_arguer
No, was it sensationalized? Dammit.

I never watch the videos on news sites. Too disruptive for my work
environment.

~~~
pavel_lishin
It's a wise policy.

------
Estragon
Why should we believe this? They admit that they have been unable to find any
"dark hotel" infrastructure. What is the basis for their claim that the
attacks take place in hotels?

~~~
amckenna
Check out the whitepaper they published along with the article. It goes into
more detail about the attacks. It appears they have a record of the traffic
from the hotels' networks, probably from an IDS or something similar. Some
relevant quotes from the whitepaper:

 _" The Darkhotel APT’s precise malware spread was observed in several hotels’
networks, where visitors connecting to the hotel’s Wi-Fi were prompted to
install software updates to popular software packages."_ \- page 5

 _" As a part of an ongoing investigation, our research led us to embedded
iframes within hotel networks that redirected individuals’ web browsers to
phony installers. The attackers were very careful with the placement of these
iframes and executables on trusted resources - the hotels’ network login
portals themselves."_ \- page 6

 _" We observed traces of a couple of these incidents in late 2013 and early
2014 on a victim hotel’s network. The attackers set up the environment and hit
their individual targets with precision. As soon as their target’s stay was
over and the attack-frame was closed, the attackers deleted their iframe
placement and backdoored executables from the hotel network."_ \- page 6

~~~
Estragon
Thank you.

