Hackers are using a sophisticated form of malware to target business executives visiting luxury hotels in Asia.
Two primary uses of the “DarkHotel” have been observed thus far, according to Kaspersky Lab. The first involves hackers spearphishing executives with bogus alert messages for software updates. These messages, which pertain to trusted software such as Adobe Flash, Google Toolbar, and Windows Messenger, pop up once the executives connect to a hotel’s public Wi-Fi network.
Hackers are also using a 0-day vulnerability in Adobe Flash to exploit code in the targets’ computers, which leads some security experts to believe that those responsible for the APT may be sponsored by a state.
To investigate the malware further, Kaspersky Lab researchers went to those luxury hotels known to be previous sites of infection. While there, they were unable to attract the malware, which suggests DarkHotel targets its victims selectively.
For each target to be exploited successfully, a great deal of information must be known about the intended victim beforehand.
“The fact that most of the time the victims are top executives indicates the attackers have knowledge of their victims whereabouts, including name and place of stay,” the researchers wrote in a report published Monday.
In addition to using the hotel to spread DarkHotel, the hackers infected P2P networks like BitTorrent and sent out malicious emails to high-value guests, expanding their range of targets to include Asian and American executives who work for defense firms, government agencies, NGOs, and nuclear energy plans.
DarkHotel has been around since 2007. However, it spiked in August 2010 and has continued up through this year.
Two-thirds of the infections have occurred in Japan, with hotels in Taiwan, Russia, China, Germany, and the United States also being affected.
To sign their malware, the hackers have been fraudulently duplicating and stealing weak md5 keys (RSA 512-bit), abusing the trust of at least 10 Certificate Authorities in the process. These keys, which are all expired or revoked, help eliminate warning messages that might otherwise pop up during the malware’s installation.
Kaspersky Lab recommends that anyone concerned about infection use a VPN while researchers try to learn more about the DarkHotel malware.