View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 10, 2014

Darkhotel spyware targets travelling businessmen

Hidden malware masquerades as patch for Google Toolbar or Adobe Flash.

By Jimmy Nicholls

A hidden malware campaign targeting travelling businessmen has been unearthed by the security company Kaspersky Lab.

Darkhotel lurks on hotel networks waiting for guests to connect to the Wi-Fi, before offering a backdoor download masquerading as an update for common software such as Google Toolbar, Adobe Flash or Windows Messenger.

Kurt Baumgartner, principal security researcher at Kaspersky, said: "For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behaviour.

"This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision."

After being installed, the spying software downloads a digitally-signed keylogger and the Karba trojan, which collects data from the system and any installed antivirus software while hunting for cached passwords in web browsers and intellectual property.

Once the malware has completed its tasks the tools are deleted from the network, so the virus can hide until the next victim appears.

"The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT (advanced persistent threat) scene, where targeted attacks are used to compromise high profile victims," Baumgartner added.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

"[Meanwhile] botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing (distributed-denial-of-service) hostile parties or simply upgrading interesting victims to more sophisticated espionage tools."

Kaspersky suggests that travellers make use of virtual private networking to access public Wi-Fi through an encrypted connection, and regard software updates offered while on the move as suspicious by default.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.