A fresh wave of suspected malicious activity carried out by the advanced persistent threat (APT) group DarkHotel was recently disclosed by cybercrime researchers.

Experts John Fokker and Thibault Seret of Trellix stated that the insidious campaign has been specifically targeting luxury brand hotels around the Chinese region of Macao since November last year. Based on technical clues uncovered in the attack vector and the type of malware employed, the research team believe that DarkHotel is behind the activity.

An APT group from South Korea

Active since around 2007, DarkHotel operates out of South Korea and employs heavily targeted spear phishing attacks as standard. It has made a name for itself since its inception seeking out targets in a wide range of sectors and industries, including pharmaceutical, automotive, government, and hospitality. Its tailored attacks are aimed at industry and business leaders and tends to focus on stealing data and illegal surveillance.

Threat operators like DarkHotel who are seeking out high-value victims like executives and CEOs often target high-end destinations in the hospitality sector they frequent. According to the research team at Trellix, some of Macao’s biggest hotels, like Wynn Palace and the Grand Coloane Resort, are among the group’s victims.

This latest campaign from DarkHotel’s originated with a phishing email issued to management employees at luxury hotels, made to appear as if it were sent by the “Macao Government Tourism Office”. Emails arrived in the inboxes of HR and front office staff, as they were employees most likely to have privileged access to hotel bookings systems.

The spear-phishing emails included a lure in the form of an Excel spreadsheet requesting that a form be completed as part of a guest inquiry. When activated by the recipient, malicious macros were enabled triggering a download of malware followed by its execution.

Identifying DarkHotels’ methods

After peeling back multiple layers of camouflage, the researchers at Trellix uncovered a complex malware function. It was designed to produce a scheduled task specifically for persistence, as well as to launch PowerShell and Visual Basic scripts (VBS). This allowed it to establish a strong connection to a dedicated hard-coded C2 server that was imitating a legitimate service owned currently by the Federated States of Micronesia.

Trellix observed that the attack chain had several similarities to another campaign launched in 2021, including its use of C2 infrastructure and IP address. The researchers commented:

“We suspect the group was trying to lay the foundation for a future campaign involving these specific hotels. After researching the event agenda for the targeted hotels, we did indeed find multiple conferences that would have been of interest to the threat actor. But even threat actors will get unlucky. Due to the rapid rise of COVID-19 in Macao and in China in general, most of events were cancelled or postponed.”

The researchers at Trellix have now attributed the attacks to DarkHotel with what they refer to as a “moderate confidence” based on the known patterns of development and IP addresses in use, some of which have already been linked directly to the threat group.