Trellix researchers recently detailed a spear-phishing campaign conducted against numerous luxury hotels in Macau, China, including the Grand Coloane Resort and Wynn Palace. Over seventeen hotel chains were targeted and the campaign was highly active until conferences were postponed or cancelled due to new Covid19 restrictions mandated for the region on January 18, 2022. The attacks were attributed with moderate confidence by Trellix researchers to the South Korean advanced persistent threat group (APT) DarkHotel based on similarities in malicious documents, dropped file system artifacts, attack chain, as well as Command-and-Control (C2) commands.
The spear-phishing attacks used malicious documents that requested the enablement of macros, which lead to an attack chain involving scheduled tasks for persistence, malicious vbs and PowerShell commands, and the dropping of additional malware to advance the attack chain and set up further data exfiltration and C2 activity.
In addition to gathering information about guests from hotel executives’ accounts with privileged access, it is likely that these attacks were intended to set a foundation to enable further compromise of these luxury hotel networks, and to gather additional guest and device information using man-in-the-middle (MITM) attacks and detailed reconnaissance. For example, establishing persistence on a hotel router would enable attackers to infect devices using hotel Wi-Fi, monitor and record data sent over the network, and combine this information with data obtained from access to hotel keycard and reservation systems, including credit card and other personal guest information. DarkHotel has conducted such attacks historically, including the original campaign detailed by Kaspersky researchers in 2014.
Organizations should assume compromise of hotel Wi-Fi networks and monitor access to secured networks over VPN accordingly. Geofencing policies and multifactor authentication can limit the exploitation of hotel guest information. Using a secure portable router with full tunnel VPN options, such as Wireguard, can limit the ability of attackers to record data or obtain illegitimate access from international conference attendees. Devices with confidential information and intellectual property should not be connected to insecure networks. Depending on the organization’s specific risk management framework, it is recommended to issue travel devices without such information to international travelers.