Darkhotel

Introduction

Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group’s name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks. Kaspersky Darkhotel Securelist Darkhotel Aug 2015 Microsoft Digital Defense FY20 Sept 2020

Activities and Tactics

Targeted Sectors: Private sector

Country of Origin: 🇰🇷 South Korea

Risk Level: High

First Seen: 2014

Last Activity: 2017

Incident Type: Espionage

Suspected Victims: Japan, Russia, Taiwan, South Korea, China

Notable Campaigns

• Daybreak?
• Fallout Team
• WizardOpium

Tactics, Techniques, and Procedures (TTPs)

• T1518.001 Security Software Discovery
• T1497.002 User Activity Based Checks
• T1027.013 Encrypted/Encoded File
• T1573.001 Symmetric Cryptography
• T1080 Taint Shared Content
• T1082 System Information Discovery
• T1056.001 Keylogging
• T1566.001 Spearphishing Attachment
• T1057 Process Discovery
• T1140 Deobfuscate/Decode Files or Information
• T1189 Drive-by Compromise
• T1091 Replication Through Removable Media
• T1497 Virtualization/Sandbox Evasion
• T1497.001 System Checks
• T1124 System Time Discovery
• T1553.002 Code Signing
• T1016 System Network Configuration Discovery
• T1083 File and Directory Discovery
• T1059.003 Windows Command Shell
• T1036.005 Match Legitimate Resource Name or Location
• T1105 Ingress Tool Transfer
• T1547.001 Registry Run Keys / Startup Folder
• T1203 Exploitation for Client Execution
• T1204.002 Malicious File

ATT&CK technique IDs (denormalized)

• T1016
• T1027.013
• T1036.005
• T1056.001
• T1057
• T1059.003
• T1080
• T1082
• T1083
• T1091
• T1105
• T1124
• T1140
• T1189
• T1203
• T1204.002
• T1497
• T1497.001
• T1497.002
• T1518.001
• T1547.001
• T1553.002
• T1566.001
• T1573.001

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 7 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

• Inexsmar:
• Higaisa:
• Win32.Karba:
• Win32.Pioneer:
• CVE-2015-8651:
• Asruex:
• CVE-2012-0158:
• CVE-2010-2883:
• CVE-2016-4171 and CVE-2018-817:

Attribution and Evidence

Country of Origin: South Korea Additional attribution information pending cataloguing.

References

[1] mitre-attack [5] Securelist Darkhotel Aug 2015 Kaspersky Lab’s Global Research & Analysis Team. (2015, August 10). Darkhotel’s attacks in 2015. Retrieved November 2, 2018. [6] Kaspersky Darkhotel Kaspersky Lab’s Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014. [7] Microsoft Digital Defense FY20 Sept 2020 Microsoft . (2020, September 29). Microsoft Digital Defense Report FY20. Retrieved April 21, 2021. [8] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [9] Microsoft DUBNIUM July 2016 Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021. [10] Microsoft DUBNIUM Flash June 2016 Microsoft. (2016, June 20). Reverse-engineering DUBNIUM’s Flash-targeting exploit. Retrieved March 31, 2021. [11] Microsoft DUBNIUM June 2016 Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.