Darkhotel

Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center Wi‑Fi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing. [1]

ID: G0012
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.[1][2]
Enterprise T1140 Deobfuscate/Decode Files or Information Darkhotel has decrypted strings and imports using RC4 during execution.[2]
Enterprise T1189 Drive-by Compromise Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware.[1]
Enterprise T1056 Input Capture Darkhotel has used a keylogger.[1]
Enterprise T1027 Obfuscated Files or Information Darkhotel has obfuscated code used in an operation using RC4 and other methods.[2]
Enterprise T1057 Process Discovery Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.[2]
Enterprise T1060 Registry Run Keys / Startup Folder Darkhotel has been known to establish persistence by adding programs to the Run Registry key.[1]
Enterprise T1091 Replication Through Removable Media Darkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers.[1]
Enterprise T1064 Scripting Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.[2]
Enterprise T1063 Security Software Discovery Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.[2]
Enterprise T1023 Shortcut Modification Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.[2]
Enterprise T1193 Spearphishing Attachment Darkhotel has sent spearphishing emails with malicious RAR attachments.[2]
Enterprise T1082 System Information Discovery Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.[2]
Enterprise T1016 System Network Configuration Discovery Darkhotel has collected the IP address and network adapter information from the victim’s machine.[2]
Enterprise T1080 Taint Shared Content Darkhotel used a virus that propagates by infecting executables stored on shared drives.[1]
Enterprise T1204 User Execution Darkhotel sent spearphishing emails with malicious attachments that required users to click on an image in the document to drop the malware to disk.[2]

References