Darkhotel Group Uses Zero-Day in Recent Campaign

Delaware, USA – August 20, 2018 – Last week experts from Trend Micro published details of the exploitation of zero-day vulnerability CVE-2018-8373, which was fixed as part of August Patch Tuesday. This vulnerability in the VBScript engine allows attackers to execute arbitrary code on the victim’s system. On July 11, researchers discovered the first attacks using this vulnerability, and further analysis allowed linking these attacks to the exploitation of another zero-day vulnerability dubbed ‘Double Kill,’ which was patched this May. Researchers from Qihoo analyzed the discoveries of Trend Micro and confirmed that this attack is conducted by Darkhotel (aka APT-C-06) group from North Korea and uses the same infrastructure as during the exploiting ‘Double Kill’ campaign. Darkhotel group is known for their cyber espionage campaigns since 2014, and researchers from Kaspersky Lab tracked their activities back to 2007. The group specialized in hacking wi-fi networks in major hotels in Asia and spying on representatives of government organizations and business executives.

They are well funded and have access to zero-day vulnerabilities, the analysis of their tools allowed to link Darkhotel with Dark Seoul malware, which was used by the Lazarus group during the attack on Sony Pictures in 2014. To protect against active campaigns, you need to install the latest Microsoft Windows security updates, and you can detect their future attacks with your SIEM with APT Framework rule pack, which will help to spot suspicious activity on assets in the early stages of the attack: https://my.socprime.com/en/integrations/apt-framework-hpe-arcsight