Skip to content

G0012 Darkhotel

Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group’s name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.213

Item Value
ID G0012
Associated Names DUBNIUM
Version 2.1
Created 31 May 2017
Last Modified 19 October 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
DUBNIUM 3654

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Darkhotel has been known to establish persistence by adding programs to the Run Registry key.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.1
enterprise T1140 Deobfuscate/Decode Files or Information Darkhotel has decrypted strings and imports using RC4 during execution.14
enterprise T1189 Drive-by Compromise Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Darkhotel has used AES-256 and 3DES for C2 communications.4
enterprise T1203 Exploitation for Client Execution Darkhotel has exploited Adobe Flash vulnerability CVE-2015-8651 for execution.6
enterprise T1083 File and Directory Discovery Darkhotel has used malware that searched for files with specific patterns.4
enterprise T1105 Ingress Tool Transfer Darkhotel has used first-stage payloads that download additional malware from C2 servers.6
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Darkhotel has used a keylogger.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.6
enterprise T1027 Obfuscated Files or Information Darkhotel has obfuscated code using RC4, XOR, and RSA.14
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Darkhotel has sent spearphishing emails with malicious RAR and .LNK attachments.14
enterprise T1057 Process Discovery Darkhotel malware can collect a list of running processes on a system.1
enterprise T1091 Replication Through Removable Media Darkhotel‘s selective infector modifies executables stored on removable media as a method of spreading across computers.2
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.16
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.21
enterprise T1082 System Information Discovery Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.14
enterprise T1016 System Network Configuration Discovery Darkhotel has collected the IP address and network adapter information from the victim’s machine.14
enterprise T1124 System Time Discovery Darkhotel malware can obtain system time from a compromised host.7
enterprise T1080 Taint Shared Content Darkhotel used a virus that propagates by infecting executables stored on shared drives.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Darkhotel has sent spearphishing emails in an attempt to lure users into clicking on a malicious attachments.14
enterprise T1497 Virtualization/Sandbox Evasion Darkhotel malware has employed just-in-time decryption of strings to evade sandbox detection.7
enterprise T1497.001 System Checks Darkhotel malware has used a series of checks to determine if it’s being analyzed; checks include the length of executable names, if a filename ends with .Md5.exe, and if the program is executed from the root of the C:\ drive, as well as checks for sandbox-related libraries.76
enterprise T1497.002 User Activity Based Checks Darkhotel has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.7

References