Luxury hotels in the Chinese special administrative region of Macau were the target of a malicious spear-phishing campaign from the second half of 2021 and through mid-January 2022. A suspected South Korean advanced persistent threat tracked as DarkHotel has been attributed the campaign.
The attack chains involved distributing email messages directed to individuals in executive roles in the hotel, such as the vice president of human resources, assistant manager, and front office manager, indicating that the intrusions were aimed at staff who were in possession of access to the hotel's network.
The malware-laced Microsoft Excel file, when opened, tricked the recipients into enabling macros, triggering an exploit chain to gather and exfiltrate sensitive data from the compromised machines back to a remote command-and-control (C2) server ("fsm-gov[.]com") that impersonated the government website for the Federated States of Micronesia (FSM).
DarkHotel is believed to be active since 2007, having a history of striking senior business executives by uploading malicious code to their computers through infiltrated hotel Wi-Fi networks, as well as through spear-phishing and P2P attacks. Prominent sectors targeted include law enforcement, pharmaceuticals, and automotive manufacturers.
Researchers said, “The group was trying to lay the foundation for a future campaign involving these specific hotels. In this campaign, the COVID-19 restrictions threw a wrench in the threat actor's engine, but that doesn't mean they have abandoned this approach.”
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
