DarkHotel hackers are going after political targets instead of CEOs with new Inexsmar malware

A highly sophisticated cyberespionage group called DarkHotel, which has been around for decades, is back in business.The hacker group is known for going after targets in the business sector, using luxury hotel's Wi-Fi to hack and spy on victims. However, DarkHotel hackers have now changed their strategy and are targeting political figures instead of CEO's, according to security experts.

Although DarkHotel hackers previously typically used zero-day exploits in their campaigns, the cyberespionage group's new multi-pronged attack vector includes a combination of whaling (advanced phishing), a new malware called Inexsmar as well as other complex attack methods.

The hacker group is known to traditionally target people with access to information such as patents and prototypes. This kind of data generally holds commercial value to cybercriminals. However, according to researchers at Bitdefender, who analysed the DarkHotel hackers' latest campaign, the group now no longer appears to be financially motivated.

"While most known DarkHotel campaigns target corporate research and development personnel, CEO's and other senior corporate officials, this attack seems focused on politics rather than financial gains," Bitdefender said in its report.

DarkHotel phishing emails come with decoy Word doc on North Korea

In the Inexsmar attack, the hackers first distribute phishing emails, customised to interest the target and trick them into clicking on the malware laced content. The emails contain a decoy word document titled 'Pyongyang Directory Group email SEPTEMBER 2016 RC_Office_Coordination_Associate.docx'.

The decoy document features a supposed list of contacts with references to organisations such as FAO, UNDP, UN, UNICEF, and WFP. The information supposedly relates to individuals in North Korea's capital. The document also ironically contains warning about spammers and cautions about privacy.

"The social engineering part of the attack involves a very carefully crafted phishing email targeted to one person at a time," Bogdan Botezatu, senior e-threat analyst at Bitdefender, told ZDNet.

Bitdefender researchers said that DarkHotel's malware is downloaded in stages, in efforts to avoid security detection. Experts say that the hacker group's multi-pronged attack indicates that the group has evolved over time to create malware that can outdo improved security defences employed by victims.

The group also stockpiles and deploys digital certificates to distribute malware and uses backdoor with hidden code. DarkHotel hackers are particularly careful about covering their tracks and have in the past operated "undisturbed" for years.

"Attribution is usually difficult with this type of attack, but its complexity and the cherry-picked victims show that it is likely a state-backed threat with serious skills and resources," said Botezatu.