Luxury hotels in the Chinese special administrative region of Macau were the target of a malicious spear-phishing campaign from the second half of November 2021 and through mid-January 2022.
Cybersecurity firm Trellix attributed the campaign with moderate confidence to a suspected South Korean advanced persistent threat (APT) tracked as DarkHotel, building on research previously published by Zscaler in December 2021.
Believed to be active since 2007, DarkHotel has a history of striking “senior business executives by uploading malicious code to their computers through infiltrated hotel Wi-Fi networks, as well as through spear-phishing and P2P attacks,” Zscaler researchers Sahil Antil and Sudeep Singh said. Law enforcement, automotive manufacturing, and pharmaceuticals are some of the most prominent sectors being targeted.
The attack chains consisted of sending email messages to executives in the hotel such as the vice-president of human resources, assistant manger, and front desk manager. This indicated that intrusions were directed at employees who had access to the network.
In one phishing lure sent to 17 different hotels on December 7, the email purported to be from the Macau Government Tourism Office and urged the victims to open an Excel file named “Xin Xi .xls” (“information.xls”). In another case, the emails were faked to gather details about people staying in the hotels.
The malware-laced Microsoft Excel file, when opened, tricked the recipients into enabling macros, triggering an exploit chain to gather and exfiltrate sensitive data from the compromised machines back to a remote command-and-control (C2) server (“fsm-gov[.]com”) that impersonated the government website for the Federated States of Micronesia (FSM).
“This IP was used by the actor to drop new payloads as first stages to set up the victim environment for system information exfiltration and potential next steps,” Trellix researchers Thibault Seret and John Fokker said in a report published last week. “Those payloads were used to target major hotel chains in Macau, including the Grand Coloane Resort and Wynn Palace. “
Also noteworthy is the fact that the C2 server IP address has continued to remain active despite prior public disclosure and that it’s also being used to serve phishing pages for an unrelated credential harvesting attack directed at MetaMask cryptocurrency wallet users.
The campaign is said to have to met its inevitable end on January 18, 2022 coinciding with the rise of COVID-19 cases in Macau, prompting the cancelation or postponement of international trade conferences that were set to take place in the targeted hotels.
” The group tried to create the basis for future campaigns involving specific hotels,” researchers stated. “In this campaign, the COVID-19 restrictions threw a wrench in the threat actor’s engine, but that doesn’t mean they have abandoned this approach. “