Darkhotel
Associated Group Descriptions |
|
Name | Description |
---|---|
Zigzag Hail | (Citation: Microsoft Threat Actor Naming July 2023) |
DUBNIUM | (Citation: Microsoft Digital Defense FY20 Sept 2020)(Citation: Microsoft DUBNIUM June 2016)(Citation: Microsoft DUBNIUM Flash June 2016)(Citation: Microsoft DUBNIUM July 2016) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Darkhotel has been known to establish persistence by adding programs to the Run Registry key.(Citation: Kaspersky Darkhotel) |
.009 | Boot or Logon Autostart Execution: Shortcut Modification |
Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.(Citation: Securelist Darkhotel Aug 2015) |
||
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.(Citation: Securelist Darkhotel Aug 2015) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Darkhotel has used AES-256 and 3DES for C2 communications.(Citation: Microsoft DUBNIUM July 2016) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Darkhotel has used a keylogger.(Citation: Kaspersky Darkhotel) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.(Citation: Microsoft DUBNIUM June 2016) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Darkhotel has obfuscated code using RC4, XOR, and RSA.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Darkhotel has sent spearphishing emails with malicious RAR and .LNK attachments.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM June 2016) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015) |
Enterprise | T1204 | .002 | User Execution: Malicious File |
Darkhotel has sent spearphishing emails in an attempt to lure users into clicking on a malicious attachments.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016) |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Darkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with |
.002 | Virtualization/Sandbox Evasion: User Activity Based Checks |
Darkhotel has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.(Citation: Lastline DarkHotel Just In Time Decryption Nov 2015) |
References
- Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
- Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021.
- Microsoft. (2016, June 20). Reverse-engineering DUBNIUM’s Flash-targeting exploit. Retrieved March 31, 2021.
- Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
- Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.
- Microsoft . (2020, September 29). Microsoft Digital Defense Report FY20. Retrieved April 21, 2021.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.