Darkhotel

Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center Wi‑Fi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing. [1]

ID: G0012
Version: 1.1

Techniques Used

DomainIDNameUse
EnterpriseT1116Code SigningDarkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.[1][2]
EnterpriseT1140Deobfuscate/Decode Files or InformationDarkhotel has decrypted strings and imports using RC4 during execution.[2]
EnterpriseT1189Drive-by CompromiseDarkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware.[1]
EnterpriseT1056Input CaptureDarkhotel has used a keylogger.[1]
EnterpriseT1027Obfuscated Files or InformationDarkhotel has obfuscated code used in an operation using RC4 and other methods.[2]
EnterpriseT1057Process DiscoveryDarkhotel has searched for anti-malware strings and anti-virus processes running on the system.[2]
EnterpriseT1060Registry Run Keys / Startup FolderDarkhotel has been known to establish persistence by adding programs to the Run Registry key.[1]
EnterpriseT1091Replication Through Removable MediaDarkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers.[1]
EnterpriseT1064ScriptingDarkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.[2]
EnterpriseT1063Security Software DiscoveryDarkhotel has searched for anti-malware strings and anti-virus processes running on the system.[2]
EnterpriseT1023Shortcut ModificationDarkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.[2]
EnterpriseT1193Spearphishing AttachmentDarkhotel has sent spearphishing emails with malicious RAR attachments.[2]
EnterpriseT1082System Information DiscoveryDarkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.[2]
EnterpriseT1016System Network Configuration DiscoveryDarkhotel has collected the IP address and network adapter information from the victim’s machine.[2]
EnterpriseT1080Taint Shared ContentDarkhotel used a virus that propagates by infecting executables stored on shared drives.[1]
EnterpriseT1204User ExecutionDarkhotel sent spearphishing emails with malicious attachments that required users to click on an image in the document to drop the malware to disk.[2]

References