Cyberespionage group targets traveling execs through hotel networks

The group infects the network access Web portals used by hotels and business centers to target specific guests

For the past four years a group of sophisticated hackers has compromised the networks of luxury hotels to launch malware attacks against corporate executives and entrepreneurs traveling on business in the Asia-Pacific region.

The cyberespionage group, which researchers from Kaspersky Lab dubbed Darkhotel, operates by injecting malicious code into the Web portals used by hotel guests to log in to the local network and access the Internet, typically by inputting their last name and room number.

The infections are typically brief and are meant to target only specific guests by prompting them to download trojanized updates for popular software applications. The rogue software updates deploy malware implants that then download and install digitally-signed information-stealing programs.

"This group of attackers seems to know in advance when these individuals will arrive and depart from their high-end hotels," the Kaspersky Lab researchers said in a report released Monday. The attackers lie in wait until the travelers arrive and connect to the Internet, the researchers said.

After the victims check out of the hotel, the attackers disable the malicious code injected into the hotel's network portal and hide their tracks.

"Those portals are now reviewed, cleaned and undergoing a further review and hardening process," the Kaspersky researchers said.

The Darkhotel group is interesting because it uses a combination of both highly targeted and non-targeted, botnet-style attacks. The cracking of digital certificate keys combined with the use of zero-day vulnerabilities suggests a highly sophisticated team of developers. However, its command-and-control infrastructure is full of weak server configurations and basic mistakes suggesting that a less skilled team is in charge of it.

"Considering their well-resourced, advanced exploit development efforts and large, dynamic infrastructure, we expect more Darkhotel activity in the coming years," the Kaspersky Lab researchers said in a blog post.

The largest volume of attacks via hotel networks took place between August 2010 and 2013, but incidents were also recorded in 2014 and are currently being investigated.

The group, which is also known as Tapaoux, is believed to have been operating since at least 2007 and has also used other attack techniques over the years including spear-phishing emails with attachments or links that exploited zero-day vulnerabilities in Flash Player and Internet Explorer, and the distribution of malware via poisoned downloads on peer-to-peer networks.

Most of the malicious components used by the Darkhotel attackers are signed with valid digital certificates, either duplicated certificates whose weak 512-bit RSA keys they cracked or certificates that they stole from their rightful owners.

The group's malware toolset includes a malware downloader; a keylogger; a Trojan program that gathers system information; an information stealer component that collects passwords stored in browsers and other sensitive data; and a file-infecting virus that spreads via USB drives and network shares. These tools are detected as Tapaoux, Pioneer, Karba and Nemim, among other names, the Kaspersky researchers said.

Over 90 percent of malware infections associated with the Darkhotel group were detected in Japan, Taiwan, China, Russia and Korea. However infections were also found in the U.S., the United Arab Emirates, Singapore, Kazakhstan, South Korea, the Philippines, Hong Kong, India, Indonesia, Germany, Ireland, Mexico, Belgium, Serbia, Lebanon, Pakistan, Greece, Italy and other countries.

The targets were from a wide array of industries, including electronics manufacturing, finance, pharmaceuticals, and others. They also included individuals in defense and law-enforcement.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityExploits / vulnerabilitiesspywaremalwarekaspersky lab

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?