DarkHotel Malware

November 25, 2014 CyberCecurity

Wired reported on an interesting (yes, I know I am strange, to think that malware attacks are interesting, but they are!) malware attack.

The malware, known as DarkHotel, pops up a message alerting the user to a software update as soon as they connect to the hotel’s WiFi.

Of course, the update is not a legitimate update, but rather a piece of malware that the attackers are getting you to install for them. Thank you for helping out.

Reports by Kaspersky Labs, the Russian anti virus vendor say that they have seen the attacks at five star hotels and they seem to be targeted at business travelers and sometimes specific travelers.

Kaspersky said that the attackers have been active for at least seven years.

According to Wired, the attackers use zero day exploits and a kernel mode keystroke logger – not simple to do. In addition, the code is signed. It appears that the attackers reverse engineered the certificates of several certificate authorities. The combination of all of this tends to indicate that these attacks are either state sponsored or state sanctioned.

According to Kaspersky, the attackers show up at the hotel a couple of days before the target arrives, loads the malware on the hotel servers (after hacking them) and then removes the malware from the hotel servers when the target leaves.

Kaspersky counter attacked a few (26) of the attackers servers in October gaining access to the logs of the attackers, at which point the attackers did an emergency shut down of close to 200 of their command and control servers.

For more details, read the Wired article linked above.

More importantly, this attack vector could be recreated pretty simply in a less sophisticated implementation.

I recommend that you should never load a patch or update while connected to a public WiFi network – especially if it is a place you frequent or that people would know, in advance, that you are going to be there on a particular day or time.