Hackers are targeting travelling corporate during their stays at luxury hotels through an espionage campaign known as "Darkhotel".
The campaign, which has been lurking for at least four years according to Kaspersky and is still active, is used for used for stealing sensitive data from selected corporate executives.
The group rarely hits the same target twice and performs operations with precision, obtaining all the valuable data they can from first contact, deleting traces of their work and melting into the background to await the next high profile individual.
The most recent travelling targets include top executives from the US and Asia doing business and investing in the APAC region; with chief executives, senior vice presidents, sales and marketing directors, and top research and development staff targeted. Kaspersky Lab principal security researcher, Kurt Baumgartner, said, for the past few years, a strong actor named Darkhotel had performed a number of successful attacks against high-profile individuals, employing methods and techniques that went well beyond typical cybercriminal behavior.
"This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision," he said.
The Darkhotel actor maintains an effective intrusion set on hotel networks, providing ample access over the years to systems that were believed to be private and secure.
The attackers wait until after check-in when the victim connects to the hotel wi-fi network, submitting their room number and surname at login.
Once the user is in the compromised network, embedded iframes located within the login portals of the hotels are used to prompt them to download and install a backdoor that poses as one of several major software releases, including Google Toolbar, Adobe Flash and Windows Messenger. The unsuspecting executive downloads this hotel 'welcome package', only to infect his machine with a backdoor - Darkhotel's spying software. Once on a system, the backdoor is used to further download more advanced stealing tools: a digitally-signed advanced keylogger, the Trojan 'Karba' and an information-stealing module.
These tools collect data about the system and the anti-malware software installed on it, stealing all keystrokes, and hunting for private information, including cached passwords and login credentials.
Victims are targeted for sensitive information and confidential data - likely the intellectual property of the business entities they represent.
After the operation, the attackers carefully delete their tools from the hotel network and go back into hiding. This campaign is unusual in that its malicious activity can be indiscriminate in its spread of malware.
Alongside its highly targeted attacks, the attackers use spear-phishing e-mails deploying zero-day exploits to infiltrate organisations from different sectors.
Sign up for Computerworld eNewsletters.