Following the public leak of files belonging to Hacking Team – the company known for selling “legal spyware” to some governments and law enforcement agencies – a number of cyberespionage groups have started using for their own malicious purposes, the tools Hacking Team provided to its customers to carry out attacks.
This includes several exploits targeting Adobe Flash Player and Windows OS. At least one of these has been re-purposed by the powerful cyberespionage actor, “Darkhotel”.
Kaspersky Lab has discovered that the “Darkhotel”, an elite spying crew uncovered by its experts in 2014 and famous for infiltrating Wi-Fi networks in luxury hotels to compromise selected corporate executives, has been using a zero-day vulnerability from Hacking Team’s collection since the beginning of July, straight after the notorious leak of Hacking Team files on July, 5th.
Not known to have been a client of Hacking Team, the Darkhotel group appears to have grabbed the files once they became publicly available.
This is not the group’s only zero-day, Kaspersky Lab estimates that over the past few years it may have gone through half a dozen or more zero-days targeting Adobe Flash Player, apparently investing significant money in supplementing its arsenal.
In 2015, the Darkhotel group extended its geographical reach around the world while continuing to spearphish targets in North and South Korea, Russia, Japan, Bangladesh, Thailand, India, Mozambique and Germany.
Kaspersky Lab’s security researchers have registered new techniques and activities from Darkhotel, a known advanced persistent threat (APT) actor that has been active for almost eight years.
In attacks dated 2014 and earlier, the group misused stolen code-signing certificates and employed unusual methods like compromising hotel Wi-Fi to place spying tools on targets’ systems.
“Darkhotel has returned with yet another Adobe Flash Player exploit hosted on a compromised website, and this time it appears to have been driven by the Hacking Team leak. The group has previously delivered a different Flash exploit on the same website, which we reported as a zero-day to Adobe in January 2014,” said Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab.
Since last year, the group has worked hard to enhance its defensive techniques, for example by expanding its anti-detection technology list. The 2015 version of the Darkhotel downloader is designed to identify anti-virus technologies from 27 vendors, with the intention of bypassing them.
Kaspersky Lab products successfully detect and block new Dark Hotel modules as Trojan.Win32.Darkhotel and Trojan-Dropper.Win32.Dapato.