Hackers are Attacking Wi-Fi of Hotel with a Particular Evil Malware

The advanced hacking as well as campaign of cyberespionage against the high-value targets is returned.

The so-called group named 'DarkHotel' was active for more than a decade, with the cybercrime signature brand of targeting business travelers with the malware by using Wi-Fi in the luxury hotels all over the world.

Wi-Fi hotspots of hotels were compromised in trying to deliver payload to selected group of victims. Exact manner of compromising remain unclear, but experts of cybersecurity believe that it involves the attackers who are remotely exploiting the vulnerabilities in the server software, or are infiltrating the hotel for gaining the physical access to machines.

Once it is done, the hackers use a chain of social engineering tricks and phishing to infect targeted computers.

The new malware is called Inexsmar and the attack starts just like several other phishing schemes: an email. However, the email is individually designed, so that it looks convincing and interesting to the target. Bgr.com posted on July 23rd, 2017, stating that it is not like regular bulk phishing attack.

Senior e-threat analyst of Bitdefender Bogdan Botezatu told ZDNet that the social engineering part of the attack involves a very carefully designed fishing email targeted to one person at a time.

Researchers remain unsure about who are getting targeted by this campaign - and the sample of the malware does not reveal any clues regarding this - however nature of phishing emails are pointing towards the political and government targets.

In the email, winword.exe is the self-extracting archive package, which once executed starts the process of downloading the Trojan. For avoiding the victim to get suspicious, the downloader will open a decoy Word document known as 'Pyongyang Directory Group email SEPTEMBER 2016 RC_Office_Coordination_Associate.docx'.

In order to avoid being detected, the malware gets downloaded in stages, which is another element of campaign linking it to the DarkHotel. The 1st stage of downloader even hides the malicious codes as well as strings inside an otherwise genuine OpenSSL binary by linking malicious code statically to otherwise unrelated library code.

The group of DarkHotel has been covering its tracks so well that researchers have no idea about their identities or actual intentions. In view of the complexities of the attacks, the researchers can not ignore the possibility of this hack being sponsored by state.

» SPAMfighter News - 7/27/2017