Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Darkhotel

Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft Digital Defense FY20 Sept 2020)
ID: G0012
Associated Groups: DUBNIUM, Zigzag Hail
Version: 3.0
Created: 31 May 2017
Last Modified: 08 Jan 2024

Associated Group Descriptions

Name Description
DUBNIUM (Citation: Microsoft Digital Defense FY20 Sept 2020)(Citation: Microsoft DUBNIUM June 2016)(Citation: Microsoft DUBNIUM Flash June 2016)(Citation: Microsoft DUBNIUM July 2016)
Zigzag Hail (Citation: Microsoft Threat Actor Naming July 2023)

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Darkhotel has been known to establish persistence by adding programs to the Run Registry key.(Citation: Kaspersky Darkhotel)

.009 Boot or Logon Autostart Execution: Shortcut Modification

Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.(Citation: Securelist Darkhotel Aug 2015)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.(Citation: Securelist Darkhotel Aug 2015)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Darkhotel has used AES-256 and 3DES for C2 communications.(Citation: Microsoft DUBNIUM July 2016)

Enterprise T1056 .001 Input Capture: Keylogging

Darkhotel has used a keylogger.(Citation: Kaspersky Darkhotel)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.(Citation: Microsoft DUBNIUM June 2016)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Darkhotel has obfuscated code using RC4, XOR, and RSA.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Darkhotel has sent spearphishing emails with malicious RAR and .LNK attachments.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM June 2016)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)

Enterprise T1204 .002 User Execution: Malicious File

Darkhotel has sent spearphishing emails in an attempt to lure users into clicking on a malicious attachments.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Darkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with .Md5.exe, and if the program is executed from the root of the C:\ drive, as well as checks for sandbox-related libraries.(Citation: Lastline DarkHotel Just In Time Decryption Nov 2015)(Citation: Microsoft DUBNIUM June 2016)

.002 Virtualization/Sandbox Evasion: User Activity Based Checks

Darkhotel has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.(Citation: Lastline DarkHotel Just In Time Decryption Nov 2015)

Software

ID Name References Techniques

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.