APT-the DarkHotel group attacked Chinese hotels

image


Cybersecurity researchers from Trellix have reported a malicious campaign allegedly organized by the DarkHotel APT group. The malicious campaign has been targeting expensive hotels in Macau (China) since November 2021.

DarkHotel is a South Korean APT that uses specialized phishing attacks. APT has been actively hacking into the networks of enterprises in the hotel, government, automotive and pharmaceutical industries since at least 2007 and, as a rule, focuses on surveillance and data theft.

According to Trellix, major hotel chains in Macau, including Grand Coloane Resort and Wynn Palace, have become victims of cyber attacks. The DarkHotel campaign began with phishing emails sent to hotel employees allegedly from the Macau State Tourism Administration. The emails contained a bait in the form of a Microsoft Excel file asking you to fill out a form for a guest request. After the macros were activated by the victim, the malware was downloaded and executed.

The malware creates scheduled tasks in order to ensure the persistence and launch VBS and PowerShell scripts to establish a connection with the embedded command server. The server is disguised as a service allegedly belonging to the Federated States of Micronesia.

Trellix linked the attacks to DarkHotel based on IP addresses already associated with APT and “known development patterns” hidden on the malware’s command server.