JUST RELEASED: ATT&CK for Industrial Control Systems

Darkhotel

Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center Wi‑Fi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing. [1]

ID: G0012
Version: 1.1
Created: 31 May 2017
Last Modified: 31 January 2019

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing

Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.[1][2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Darkhotel has decrypted strings and imports using RC4 during execution.[2]

Enterprise T1189 Drive-by Compromise

Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware.[1]

Enterprise T1056 Input Capture

Darkhotel has used a keylogger.[1]

Enterprise T1027 Obfuscated Files or Information

Darkhotel has obfuscated code used in an operation using RC4 and other methods.[2]

Enterprise T1057 Process Discovery

Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.[2]

Enterprise T1060 Registry Run Keys / Startup Folder

Darkhotel has been known to establish persistence by adding programs to the Run Registry key.[1]

Enterprise T1091 Replication Through Removable Media

Darkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers.[1]

Enterprise T1064 Scripting

Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.[2]

Enterprise T1063 Security Software Discovery

Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.[2]

Enterprise T1023 Shortcut Modification

Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.[2]

Enterprise T1193 Spearphishing Attachment

Darkhotel has sent spearphishing emails with malicious RAR attachments.[2]

Enterprise T1082 System Information Discovery

Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.[2]

Enterprise T1016 System Network Configuration Discovery

Darkhotel has collected the IP address and network adapter information from the victim’s machine.[2]

Enterprise T1080 Taint Shared Content

Darkhotel used a virus that propagates by infecting executables stored on shared drives.[1]

Enterprise T1204 User Execution

Darkhotel sent spearphishing emails with malicious attachments that required users to click on an image in the document to drop the malware to disk.[2]

References