Darkhotel
Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center Wi‑Fi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .009 | Boot or Logon Autostart Execution: Shortcut Modification |
Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.[2] |
| .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Darkhotel has been known to establish persistence by adding programs to the Run Registry key.[1] |
||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.[2] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Darkhotel has decrypted strings and imports using RC4 during execution.[2] |
|
| Enterprise | T1189 | Drive-by Compromise |
Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware.[1] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging | |
| Enterprise | T1027 | Obfuscated Files or Information |
Darkhotel has obfuscated code used in an operation using RC4 and other methods.[2] |
|
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Darkhotel has sent spearphishing emails with malicious RAR attachments.[2] |
| Enterprise | T1057 | Process Discovery |
Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.[2] |
|
| Enterprise | T1091 | Replication Through Removable Media |
Darkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers.[1] |
|
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.[2] |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.[1][2] |
| Enterprise | T1082 | System Information Discovery |
Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.[2] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Darkhotel has collected the IP address and network adapter information from the victim’s machine.[2] |
|
| Enterprise | T1080 | Taint Shared Content |
Darkhotel used a virus that propagates by infecting executables stored on shared drives.[1] |
|
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Darkhotel sent spearphishing emails with malicious attachments that required users to click on an image in the document to drop the malware to disk.[2] |