DarkHotel attackers return, with major shift in method

Instead of shared WiFi, DarkHotel's new attack pattern delivers its payload through social engineering and a Trojan

A new high-level spear-phishing (whaling) attack has been found by BitDefender, targeting political figures and senior business users. Dubbed Inexsmar, the attack appears to be operated by the DarkHotel group, which has been perpetrating similar threats since 2007.

DarkHotel attacks often merge whaling with malware and other threat avenues, with both attacker and victim on the same (hotel) WiFi network. Inexsmar is slightly different, in both its targets and payload delivery mechanism. BitDefender has dated its samples back to September 2016, but it has dated samples with a high level of similarity to April 2011.

Liviu Arsene, senior e-threat analyst at Bitdefender, told Computing:

"The new attack vector involves carefully-crafted spear-phishing emails...where the use of legitimate names and email address is supposed to convince victims of the email's legitimacy. When executed, the attachment actually displays a valid document, so as not to raise any suspicion from the victim, while malware is installed in the background. This is why the current campaign is a major departure from [DarkHotel's] approach, in which the attacker would have to share the same Wi-Fi as its victim." The dummy document that Arsene mentions is called ‘Pyongyang Directory Group email SEPTEMBER 2016 RC_Office_Coordination_Associate.docx'.

Various tasks are undertaken in the background, with the aim of determining if the host computer is a valid target. If it is not, the malware stops functioning; otherwise, the malware installs the full payload by contacting the C2 server.

The DarkHotel group has traditionally targeted senior business users, such as CEOs, developers and corporate researchers, who can access sensitive company information like intellectual property and source code. Vectors like zero day exploits, stolen or factored digital certificates and layered encryption for samples are a few of the attack methods the group has used in the past.

BitDefender writes, ‘We presume that this method of pairing social engineering with a multi-stage Trojan downloader is also an evolutionary step to keep [DarkHotel's] malware competitive as their victims' defences improve. This approach serves their purpose much better as it both assures the malware stays up to date via system persistence - not achievable directly using an exploit - and gives the attacker more flexibility in malware distribution (the domains don't have to be up all the time - not achievable directly using an exploit).'

BitDefender's whitepaper goes into more detail on the attack.