South Korean DarkHotel Hackers Targeted Luxury Hotels in Macau

Luxury hotels in the Chinese special administrative region of Macau were the target of a malicious spear-phishing campaign from the second half of November 2021 and through mid-January 2022.

Cybersecurity firm Trellix attributed the campaign with moderate confidence to a suspected South Korean advanced persistent threat (APT) tracked as DarkHotel, building on research previously published by Zscaler in December 2021.

Believed to be active since 2007, DarkHotel has a history of striking "senior business executives by uploading malicious code to their computers through infiltrated hotel Wi-Fi networks, as well as through spear-phishing and P2P attacks," Zscaler researchers Sahil Antil and Sudeep Singh said. Prominent sectors targeted include law enforcement, pharmaceuticals, and automotive manufacturers.

The attack chains involved distributing email messages directed to individuals in executive roles in the hotel, such as the vice president of human resources, assistant manager, and front office manager, indicating that the intrusions were aimed at staff who were in possession of access to the hotel's network.

In one phishing lure sent to 17 different hotels on December 7, the email purported to be from the Macau Government Tourism Office and urged the victims to open an Excel file named "信息.xls" ("information.xls"). In another case, the emails were faked to gather details about people staying in the hotels.

The malware-laced Microsoft Excel file, when opened, tricked the recipients into enabling macros, triggering an exploit chain to gather and exfiltrate sensitive data from the compromised machines back to a remote command-and-control (C2) server ("fsm-gov[.]com") that impersonated the government website for the Federated States of Micronesia (FSM).

"This IP was used by the actor to drop new payloads as first stages to set up the victim environment for system information exfiltration and potential next steps," Trellix researchers Thibault Seret and John Fokker said in a report published last week. "Those payloads were used to target major hotel chains in Macau, including the Grand Coloane Resort and Wynn Palace."

Also noteworthy is the fact that the C2 server IP address has continued to remain active despite prior public disclosure and that it's being used to serve phishing pages for an unrelated credential harvesting attack directed at MetaMask cryptocurrency wallet users.

The campaign is said to have to met its inevitable end on January 18, 2022 coinciding with the rise of COVID-19 cases in Macau, prompting the cancelation or postponement of a number of international trade conferences that were set to take place in the targeted hotels.

"The group was trying to lay the foundation for a future campaign involving these specific hotels," the researchers said. "In this campaign, the COVID-19 restrictions threw a wrench in the threat actor's engine, but that doesn't mean they have abandoned this approach."