Darkhotel Malware Utilizes Poorly-Protected Hotel WiFi To Target High-Level Executives

Media Division | November 14, 2014

High-level business executives travelling in Asia-Pacific and other places are being targeted by a malware called Darkhotel.

This malware targets travelling businessmen in luxury hotels through poorly-protected WiFi networks.

According to security experts at Kaspersky Lab, Darkhotel APT attacks began four years ago, and are devious as they are executed with careful planning.

The attackers appear to know in advance when an executive will check in and check out of a hotel. Victims are targeted through different methods, like bogus software updates for trusted software such as Google Toolbar and Adobe Flash. Executives are presented with these updates when they use the hotel’s WiFi.

In most cases, the malware code in the attack is signed with a trusted digital certificate that attackers cloned by factoring the 512-bit private key, which means it has advanced capability. Kaspersky Lab researchers even went to the affected hotels to investigate the malware further, but were unable to attract the malware during their presence, which suggests that it targets the victims selectively. A great deal of information must be known beforehand about targets for successful exploits.

“The fact that most of the time the victims are top executives indicates the attackers have knowledge of their victims whereabouts, including name and place of stay,” said the researchers in a report. “This paints a dark, dangerous web in which unsuspecting travelers can easily fall. While the exact reason why some hotels function as an attacker vector are unknown, certain suspicions exist, indicating possibly a much larger compromise. We are still investigating this aspect of the operation and will publish more information in the future.”

The malware was originally detected in 2007, but spiked in August 2010 and has seen an upward trend since then. Two-thirds of the attacks have occurred in Japan, with hotels in Russia, China, Germany, the United States, and Taiwan also being victims.

Detailed working of the malware

After the malware is installed on a victim’s computer, it steals the keystrokes entered, with the aim of accessing intellectual property of the user’s company. Most of the targeted users include chief executives, R&D staff, sales and marketing directors, and senior vice presidents conducting businesses in the Asia-Pacific region.

The attacks are performed with a lot of precision and the hackers don’t target a victim twice, and steal all the important data in the first instance. They also remove traces of the malicious activity and remain in the shadows until they target the next businessman.

In some cases, targets were infected through spearphishing messages instead of software updates, some of which include attack code exploiting unknown vulnerabilities in Internet Explorer, Flash and other similar software. Computers infected by Darkhotel malware will install keyloggers or other types of malware tailored to victims.

Such malware monitors communications, passwords and system information on a victim’s machine and periodically sends the data in encrypted form to servers owned/controlled by hackers. Luxury hotels are being used to target and infect CEOs and executives of top companies.

The malware also scrutinizes the machine for email and social network credentials, as well as more private information. As it stands, the security firm that reported the malware are working with organizations to mitigate the issue, but executives checking in luxury, private and semi-private hotels should view their WiFi networks as risky.

Safety measures to consider

Every execute checking into hotels and using WiFi should consider these measures:

• Inquire about software upgrades from the hotel management. Do they know about the update installer?
• Make sure a proactive defense solution like Massive’s Strixus and the latest antivirus software is installed on the computer
• Use a trusted VPN (Virtual Private Network) provider to use an encrypted communication channel when browsing the web via WiFi
• Do not open apps and software unless 100% sure they are by trusted software makers

Kaspersky Lab also recommends travelling executives to learn more about the Darkhotel malware.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.