New Malicious Networks Discovered in Dark Hotel Malware Campaign

November 17, 2014 • Rodrigo

Analysis Summary

  • Recorded Future discovered technical indicators that suggest malware used in the Dark Hotel campaign has been in the wild since 2009.
  • The Dark Hotel malware campaign has links to long-standing malicious networks. According to Recorded Future analysis, this includes the Bodis, LLC network.
  • Threat analysis and samples matching Dark Hotel hashes regularly occurred in 2012 and 2013.
  • Business travelers to the APAC region should continue to take precautions for data security and be alert to targeted attacks like spear phishing.

Overview

The latest in a series of high-profile APTs, Dark Hotel, recently researched by Kaspersky, primarily targets business travelers in the Asia-Pacific (APAC) region. Dark Hotel malware is particularly interesting since it uses specific physical environments, most notably hotel networks, as a means of infection. Security experts have warned traveling executives for years on the perils of traveling with sensitive data abroad in countries like China, and this malware campaign reinforces those concerns.

The malware has primarily been found on both hotel and business center networks in Taiwan, South Korea, Japan, China, and Russia. According to the latest open source reporting, the first attacks from this campaign were recorded in 2007 and spiked in 2010.

Other public sources, in particular the newly released Kaspersky report, indicate the Dark Hotel malware campaign mostly targets business travelers in the following industries:

  • Automotive
  • Private equity and finance
  • Pharmaceuticals
  • Chemical and electronics manufacturing
  • Defense and intelligence
  • Law enforcement
  • Non-governmental organizations

The following Recorded Future analysis will assess and confirm currently reported threat intelligence on targets and signatures, and take a deep dive on related entities – including new related indicators and domains previously unreported on.

Analysis

Recorded Future ingested and analyzed associated hashes of the tools used to infect victim systems. Using a timeline view, let’s visualize all known open source intelligence (OSINT) references of those hashes over the last six years.

Dark Hotel Malware Timeline

Click image for larger view

The above visualization matches the current reporting from Kaspersky and others who note activity spiked after 2010. However, the Recorded Future platform captured associated cyber security events as early as 2009. Drilling down on this activity, the 2009 event references point to a finding for Tapaoux, a common malware utilized in the campaign. The captured event occurred on Twitter where a security researcher posted the following technical details:

Tapaoux Zero-Day Tweet

From 2009 forward, the Recorded Future platform also captured and analyzed over a dozen technical indicators including malware signatures and domains prior to the Kaspersky Securelist report in 2014.

Within the paste site and Threat Expert mentions in 2012 and 2013, Recorded Future also picked up a leak site listing samples of malware matching the hashes and associated CVEs.

Dark Hotel Leaked CVEs

From these CVEs and the reporting on Twitter, we see clear indication the group is using relatively common and shared vectors of infection to attack victims, in this case exploits for Adobe Flash. Additional context to the campaign can be added with analysis of the known domains serving these exploits and the countries they are mentioned as registered or hosted in.

Geospatial Analysis

By uploading the list of known associated domains delivering Dark Hotel malware, we can automatically plot mentions based on locations referenced in open source intelligence and generate a spatial visualization.

Dark Hotel Malware Map

Click image for larger view

The map view confirms the malware activity in countries mentioned as common environments for the malware: South Korea, Japan, Taiwan, China, and Hong Kong. Given the regional focus of the malware campaign, it should be no surprise to see domains associated with the same countries.

Uncovering Bodis Network Link to Dark Hotel Malware

Recorded Future analysis also found a significant entity – Bodis, LLC – associated with multiple domains that have known malicious history. The Bodis link was uncovered when looking at a historical view of public mentions related to known Dark Hotel domains, which provided the references below from early 2013. Previous researchers have noted the history of malicious activity from domains hosted or registered with the Bodis network, but this is the first connection to the Dark Hotel list of indicators.

The following image has bolded domains and IPs that match current Dark Hotel threat intelligence from Kaspersky Securelist.

Dark Hotel Leaked Print

The domains and IPs listed are registered with Bodis, LLC. Performing a WHOIS lookup on Bodis, LLC currently lists the company location under a New York address, but the historical data captured clearly lists their servers as located in Shenzhen, a city in the Guangdong province of China, at the time of operation.

OrgName: Bodis, LLC
OrgId: BODIS-1
Address: Suite 502A-18825, Block A
Address: Shekou Technology Building 2
City: Shenzhen
StateProv: Nanshan District

A historical search in the last several years of OSINT related to malicious activity on the Bodis network also picks up chatter from other security researchers that have found domains used for command-and-control (confirmed by Virus Total).

Bodis Network Tweet

The technical indicators found with Recorded Future point to a subset associated with 199.59.240.XXX and 199.59.240.XXX. These may be IPs to watch in the future as the Bodis network continues to be used in malware command-and-control, including indicators found in the Dark Hotel campaign, despite the warnings from multiple security researchers.

The geolocation of this activity was particularly interesting since any malware campaign focused on the APAC region naturally raises questions of attribution, particularly Chinese actors. Some analysts and media outlets may take regional targets and possible links to China as attributive, but the connections are still tenuous at best and other factors like the malware being coded in Korean or the possibility of false flag operations should be taken into account.

Conclusion

The Dark Hotel campaign clearly has a long and active history encompassing a wide range of targets within the APAC region. From early signals of malware in 2009 through the regular reporting in 2012-2013, Recorded Future has discovered multiple indicators of compromise and associated entities. Security teams, particularly those in the sectors affected, should use the available technical details from public sources like the Kaspersky report to search internally for technical indicators. Based on Recorded Future’s threat intelligence, further analysis and alerting on domains coming from the Bodis network is prudent given the history of persistent malicious activity without remediation.

Take Action: Recorded Future customers can view the existing list of hashes and domains as a shared list for analysis within their own instances, and add their own samples. Additionally, alerts for the common malware names can be setup in Recorded Future for customers in affected industries to monitor for tools, domains, and actors like Bodis, LLC that may be associated in the future. Customers can view these alerts before traveling in the region to keep up to date on relevant threats.

Not a customer? You can learn more by requesting a demo of Recorded Future’s threat intelligence platform.