Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Darkhotel
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Darkhotel
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Darkhotel

Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft Digital Defense FY20 Sept 2020)
ID: G0012
Associated Groups: Zigzag Hail, DUBNIUM
Version: 3.0
Created: 31 May 2017
Last Modified: 08 Jan 2024

Associated Group Descriptions
Name Description
Zigzag Hail (Citation: Microsoft Threat Actor Naming July 2023)
DUBNIUM (Citation: Microsoft Digital Defense FY20 Sept 2020)(Citation: Microsoft DUBNIUM June 2016)(Citation: Microsoft DUBNIUM Flash June 2016)(Citation: Microsoft DUBNIUM July 2016)

Techniques Used
Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Darkhotel has been known to establish persistence by adding programs to the Run Registry key.(Citation: Kaspersky Darkhotel)
.009 Boot or Logon Autostart Execution: Shortcut Modification

Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.(Citation: Securelist Darkhotel Aug 2015)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.(Citation: Securelist Darkhotel Aug 2015)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Darkhotel has used AES-256 and 3DES for C2 communications.(Citation: Microsoft DUBNIUM July 2016)
Enterprise T1056 .001 Input Capture: Keylogging

Darkhotel has used a keylogger.(Citation: Kaspersky Darkhotel)
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.(Citation: Microsoft DUBNIUM June 2016)
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Darkhotel has obfuscated code using RC4, XOR, and RSA.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Darkhotel has sent spearphishing emails with malicious RAR and .LNK attachments.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM June 2016)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)
Enterprise T1204 .002 User Execution: Malicious File

Darkhotel has sent spearphishing emails in an attempt to lure users into clicking on a malicious attachments.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Darkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with .Md5.exe, and if the program is executed from the root of the C:\ drive, as well as checks for sandbox-related libraries.(Citation: Lastline DarkHotel Just In Time Decryption Nov 2015)(Citation: Microsoft DUBNIUM June 2016)
.002 Virtualization/Sandbox Evasion: User Activity Based Checks

Darkhotel has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.(Citation: Lastline DarkHotel Just In Time Decryption Nov 2015)

Software
ID Name References Techniques

References

  1. Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
  2. Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021.
  3. Microsoft. (2016, June 20). Reverse-engineering DUBNIUM’s Flash-targeting exploit. Retrieved March 31, 2021.
  4. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
  5. Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.
  6. Microsoft . (2020, September 29). Microsoft Digital Defense Report FY20. Retrieved April 21, 2021.
  7. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  8. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.