G0012 Darkhotel
Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group’s name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.213
| Item | Value |
|---|---|
| ID | G0012 |
| Associated Names | DUBNIUM |
| Version | 2.1 |
| Created | 31 May 2017 |
| Last Modified | 19 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| DUBNIUM | 3654 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Darkhotel has been known to establish persistence by adding programs to the Run Registry key.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Darkhotel has decrypted strings and imports using RC4 during execution.14 |
| enterprise | T1189 | Drive-by Compromise | Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Darkhotel has used AES-256 and 3DES for C2 communications.4 |
| enterprise | T1203 | Exploitation for Client Execution | Darkhotel has exploited Adobe Flash vulnerability CVE-2015-8651 for execution.6 |
| enterprise | T1083 | File and Directory Discovery | Darkhotel has used malware that searched for files with specific patterns.4 |
| enterprise | T1105 | Ingress Tool Transfer | Darkhotel has used first-stage payloads that download additional malware from C2 servers.6 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Darkhotel has used a keylogger.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.6 |
| enterprise | T1027 | Obfuscated Files or Information | Darkhotel has obfuscated code using RC4, XOR, and RSA.14 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Darkhotel has sent spearphishing emails with malicious RAR and .LNK attachments.14 |
| enterprise | T1057 | Process Discovery | Darkhotel malware can collect a list of running processes on a system.1 |
| enterprise | T1091 | Replication Through Removable Media | Darkhotel‘s selective infector modifies executables stored on removable media as a method of spreading across computers.2 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.16 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.21 |
| enterprise | T1082 | System Information Discovery | Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.14 |
| enterprise | T1016 | System Network Configuration Discovery | Darkhotel has collected the IP address and network adapter information from the victim’s machine.14 |
| enterprise | T1124 | System Time Discovery | Darkhotel malware can obtain system time from a compromised host.7 |
| enterprise | T1080 | Taint Shared Content | Darkhotel used a virus that propagates by infecting executables stored on shared drives.2 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Darkhotel has sent spearphishing emails in an attempt to lure users into clicking on a malicious attachments.14 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | Darkhotel malware has employed just-in-time decryption of strings to evade sandbox detection.7 |
| enterprise | T1497.001 | System Checks | Darkhotel malware has used a series of checks to determine if it’s being analyzed; checks include the length of executable names, if a filename ends with .Md5.exe, and if the program is executed from the root of the C:\ drive, as well as checks for sandbox-related libraries.76 |
| enterprise | T1497.002 | User Activity Based Checks | Darkhotel has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.7 |
References
-
Kaspersky Lab’s Global Research & Analysis Team. (2015, August 10). Darkhotel’s attacks in 2015. Retrieved November 2, 2018. ↩↩↩↩↩↩↩↩↩↩↩
-
Kaspersky Lab’s Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014. ↩↩↩↩↩↩↩
-
Microsoft . (2020, September 29). Microsoft Digital Defense Report FY20. Retrieved April 21, 2021. ↩↩
-
Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021. ↩↩↩↩↩↩↩↩↩
-
Microsoft. (2016, June 20). Reverse-engineering DUBNIUM’s Flash-targeting exploit. Retrieved March 31, 2021. ↩
-
Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021. ↩↩↩↩↩↩
-
Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021. ↩↩↩↩