It sounds like something out of a horror movie. Maybe it will be.
But today it’s very real: A particularly insidious malware called Darkhotel is lurking.
Darkhotel targets business executives who stay in high-end hotels around the world. Bankers themselves must be aware of it, and should warn their commercial clients about it.
The threat has been researched by the Kaspersky Lab Global Research and Analysis Team, which says that the malware has been around for at least four years and continues as a threat.
Darkhotel hits its targets while they are staying in luxury hotels. The crew behind it never goes after the same target twice; they operate with surgical precision, obtaining all the valuable data they can from the first contact, deleting traces of their work, and fading into the background to await the next high-profile target.
The most recent travelling targets include top executives from the U.S. and Asia doing business and investing in East Asia: CEOs, senior vice-presidents, sales and marketing directors, and research and development staff.
How Darkhotel attacks: The Darkhotel actor maintains an effective intrusion method set on hotel networks, providing ample access over the years to systems that were believed to be private and secure.
The operators wait until after check-in, when the victim connects to the hotel wi-fi network, submitting his or her room number and surname to login. The attackers spot the victim in the compromised network and trick the person into downloading and installing a backdoor that pretends to be an update for legitimate software, such as Google Toolbar, Adobe Flash, or Windows Messenger.
The unsuspecting executive downloads this hotel “welcome package,” only to infect his or her machine with a backdoor for the Darkhotel spying software.
Once on a system, the backdoor has been and may be used to further download more advanced stealing tools: a digitally-signed advanced keylogger, the trojan Karba, and an information-stealing module. These tools collect data about the computer user’s system and the anti-malware software installed on it. They also steal all keystrokes and hunt for cached passwords in Firefox, Chrome, and Internet Explorer; login credentials for Gmail Notifier, Twitter, Facebook, Yahoo!, and Google; and other private information.
Victims lose sensitive information likely to be the intellectual property of the business entities they represent. After the operation, the attackers carefully delete their tools from the hotel network and go back into hiding.
“Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior,” says Kurt Baumgartner, principal security researcher at Kaspersky Lab. “This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”
However, the malicious activity of Darkhotel can be inconsistent: it is indiscriminate in its spread of malware alongside its highly targeted attacks.
How to outsmart Darkhotel
When traveling, any network, even semiprivate ones in hotels, should be viewed as potentially dangerous.
Kaspersky Lab adds the following tips:
• Choose a Virtual Private Network provider. You will get an encrypted communication channel when accessing public or semi-public wi-fi.
• When traveling, always regard software updates as suspicious. Confirm that the proposed update installer is signed by the appropriate vendor.
• Travel with a full arsenal. Make sure your internet security solution includes proactive defense against new threats, rather than just basic antivirus protection.