Darkhotel
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| DUBNIUM | (Citation: Microsoft Digital Defense FY20 Sept 2020)(Citation: Microsoft DUBNIUM June 2016)(Citation: Microsoft DUBNIUM Flash June 2016)(Citation: Microsoft DUBNIUM July 2016) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Darkhotel has been known to establish persistence by adding programs to the Run Registry key.(Citation: Kaspersky Darkhotel) |
| .009 | Boot or Logon Autostart Execution: Shortcut Modification |
Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.(Citation: Securelist Darkhotel Aug 2015) |
||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.(Citation: Securelist Darkhotel Aug 2015) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Darkhotel has used AES-256 and 3DES for C2 communications.(Citation: Microsoft DUBNIUM July 2016) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Darkhotel has used a keylogger.(Citation: Kaspersky Darkhotel) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.(Citation: Microsoft DUBNIUM June 2016) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Darkhotel has sent spearphishing emails with malicious RAR and .LNK attachments.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM June 2016) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Darkhotel has sent spearphishing emails in an attempt to lure users into clicking on a malicious attachments.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016) |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Darkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with |
| .002 | Virtualization/Sandbox Evasion: User Activity Based Checks |
Darkhotel has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.(Citation: Lastline DarkHotel Just In Time Decryption Nov 2015) |
||
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.