Traveling executives' worst nightmare: Darkhotel (and it's not a hotel)

A security firm has discovered a malware that has been lurking in the dark corners of luxury hotels, targeting high-profile business individuals traveling to countries in Asia and the Pacific.

Moscow-based Kaspersky Labs reports that corporate executives who travel to certain countries in Asia have become the unknowing victims of a malware called Darkhotel, a sophisticated bug that attackers have used to steal sensitive information from business executives without leaving any trace of the attack.

For some reason, Darkhotel is aware of when certain individuals log in to the affected hotel's Wi-Fi network. The bug does not target just anyone; it targets certain persons it considers important enough to attack.

Once these users log in to the hotel's network via their last name and room hotel number, Darkhotel gets to work in a variety of ways. One is by prompting the user to download malicious software disguised as an update for legitimate tools, such as Adobe Flash, Windows Messenger or Google Toolbar.

In other instances, the attackers use a spear-phishing campaign using malicious code embedded in Adobe Flash, Internet Explorer and other types of software to infect the user's system.

When installed, the "welcome package" is then used to download additional attackers' tools, including an advanced keylogger to register a user's keystrokes and steal everything he types into the computer, including his passwords and private written communications.

The package also includes a Trojan and other malware that can be used to scour the user's web browser and hunt for cached passwords used in all the user's online accounts, including the corporate networks that he is connected to. When the attackers have collected all the information they want, they then delete all their tools and go back to lurk in the shadows.

"The fact that most of the time the victims are top executives indicates the attackers have knowledge of their victims' whereabouts, including name and place of stay," says (pdf) Kaspersky in its detailed report on Darkhotel. "This paints a dark, dangerous web in which unsuspecting travelers can easily fall."

Kaspersky did not specify the individuals targeted by Darkhotel but says the malware has compromised the computer systems of top-ranking executives and important persons who belong to a wide variety of industries, including branches of the military, defense contractors, law enforcement agencies, large manufacturing firms, investment and private equity firms and non-governmental organizations.

For now, the security firm is unable to identify who is behind the attacks, noting that the malware are signed with cryptographic certificates that were illegally cloned. Digital certificates allow the malware to dupe the computer's malware protection program and penetrate the system without triggering warnings.

Kaspersky says an overwhelming majority of the attacks, which are still ongoing, are happening in luxury hotels located in Japan, China, Taiwan, South Korea and Russia, but Darkhotel has also been found to have infected a few unspecified hotel networks in other countries, including the United States, Mexico, Ireland, Belgium and Germany.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics