Details about a malware campaign that spans the last seven years have been uncovered by researchers. Currently known as Darkhotel, the malware uses advanced cryptographic attacks, zero-day exploits, and a knowledge of luxury hotel bookings to target high ranking executives.First brought to light by Kaspersky, Darkhotel brings some dangerous implications about the ability of cybercriminals to isolate targets. It appears that the attackers know where executives will be staying in advance, and set their carefully prepared traps on the hotel internet connection. Both WiFi and wired internet are booby trapped to prompt specific executives to download and install bogus software updates like Adobe Flash, Google Toolbar, and other apparently legitimate applications.
Once the backdoor is installed, the malware then begins to download more advanced stealing tools like a digitally-signed advanced keylogger, the Trojan ‘Karba’ and an information-stealing module. Victims then have their passwords and other sensitive information – including work data – stolen from their computers. After the attackers are satisfied with their work, they then delete their tools from the hotel network and vanish.
Most of the infections appear to be located in Japan, Taiwan, China, Russia and South Korea; although targets appear to be executives from the US and Asia coming into the APAC region for business. Kaspersky has identified a wide range of industries that have been affected by the Darkhotel campaign that range from electronics manufacturing to non-governmental organisations.
Kaspersky has more information about Darkhotel on its security blog.