Known as “Darkhotel”, the group has been been targeting business executives for the past eight years using a variety of speaprhisning techniques.
The hackers behind the attack are now using a zero-day vulnerability in Adobe Flash Player that used to form part of Hacking Team’s spyware services. Using a compromised website they have been able to infect target computers using the critical flaw in Adobe’s software.
Internet security firm Kaspersky, which has been tracking Darkhotel since 2014, said the group had started using the Hacking Team zero-day almost immediately after it was leaked online on 5 July. Darkhotel is not thought to be a client of Hacking Team, the Italian spyware contractor that suffered a major data breach last month.
Darkhotel’s attacks, which initially targeted Asian business executives staying in luxury hotels, has since extended its reach to countries such as Germany and Mozambique. In order to be affective the group has invested in half a dozen or more zero-days targeting Adobe Flash Player.
The group’s main attack method is to hijack hotel Wi-Fi connections and install spying software on target computers. Darkhotel also uses stolen certificates, social engineering techniques and a number of zero-day vulnerabilities to steal confidential business information from targets.
When Darkhotel was first uncovered in 2014 Kaspersky noted it was specifically targeting high-ranking executives at electronics and pharmaceutical companies along with employees at chemical companies, automotive manufacturers, defence companies, law enforcement and military and non-governmental organisations.
“Darkhotel seems to have burned through a pile of Flash zero-day and half-day exploits over the past few years, and it may have stockpiled more to perform precise attacks on high-level individuals globally,” said Kurt Baumgartner, principal security researcher at Kaspersky Lab.