Rewterz Threat Alert – DarkHotel APT Threat Actor Group – Active IOCs

Severity

High

Analysis Summary

Based in South Korea, DarkHotel is an advanced persistent threat (APT) group that has been operational since at least 2007. They have been known to employ spear-phishing, P2P, and compromised hotel WiFi networks to infect PCs of top company leaders, uploading harmful programs. This APT uses very sophisticated Flash zero-day exploits to spear-phish targets, effectively evading the most recent Windows and Adobe defenses. They also use peer-to-peer spreading strategies to proliferate imprecisely across a wide number of ambiguous targets. The most peculiar aspect of this group is that the Darkhotel APT has been able to track and strike specific targets as they cross the globe for a number of years via hotel networks.

The DarkHotel cybercriminals have been active for more than ten years, preying on thousands of victims worldwide. Though we have also found infections in Germany, the USA, Indonesia, India, and Ireland, Japan, Taiwan, China, Russia, and Korea account for 90% of the infections we have encountered with DarkHotel.

The common endpoint targets in the field of Officials and Executives are some Defense industrial bases (DIB), Governments, Non-government organizations (NGOs), Large electronics and peripherals manufacturers, Pharmaceutical companies, medical providers, Military-related organizations and also Energy policymakers.

It appears that global C-level CEOs driving investment and economic growth as well as political figures are of special interest to DarkHotel APT. Notably, they have also targeted nations with nuclear weapons. CEOs, Senior Vice Presidents, Directors of Sales and Marketing, and senior R&D personnel are the targets of targeted assaults in the corporate sectors.

Impact

• Sensitive Information Theft
• Unauthorized Access
• Cyber Espionage

Indicators of Compromise

MD5

• 6af6f86658c705f7c9cc6360575f817d
• 4670900c14740055efc8a8aa2615dfae

SHA-256

• e0cdb4d689576db31f1fff2460ef0ab068fbf1e45fd0af4b18efb9f87d067e16
• 16e59f7119481e1e7c1b57f25d68588df1d8461194ffeb973f461c30dfddf447

SHA-1

• 7ce3442314add6ac7446643559da3dba4ddfe60c
• c7771dd526e176e959aadc620e4b03e944826f33

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets.
• Always use trusted VPN tunnels if you plan on accessing public or even semi-public Wi-Fi. A virtual private network can give you an encrypted barrier to keep out any infected servers from feeding malware bait into your connection.
• Always verify executable files and treat files shared over P2P networks with caution and suspicion. Again, these files can easily be bait for malware infections. Even legitimate files can be modified for a hacker’s benefit.
• Install quality Internet security software. Make sure it includes proactive defense against new threats rather than just basic antivirus scanning and malware removal. Web protection like link threat-scanning and phishing filters can help you combat threats like those used by DarkHotel.